[House Hearing, 112 Congress] [From the U.S. Government Publishing Office] UNDERSTANDING CONSUMER ATTITUDES ABOUT PRIVACY ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON COMMERCE, MANUFACTURING, AND TRADE OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED TWELFTH CONGRESS FIRST SESSION __________ OCTOBER 13, 2011 __________ Serial No. 112-96 Printed for the use of the Committee on Energy and Commerce energycommerce.house.gov U.S. GOVERNMENT PRINTING OFFICE 74-605 WASHINGTON : 2012 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]. COMMITTEE ON ENERGY AND COMMERCE FRED UPTON, Michigan Chairman JOE BARTON, Texas HENRY A. WAXMAN, California Chairman Emeritus Ranking Member CLIFF STEARNS, Florida JOHN D. DINGELL, Michigan ED WHITFIELD, Kentucky Chairman Emeritus JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts JOSEPH R. PITTS, Pennsylvania EDOLPHUS TOWNS, New York MARY BONO MACK, California FRANK PALLONE, Jr., New Jersey GREG WALDEN, Oregon BOBBY L. RUSH, Illinois LEE TERRY, Nebraska ANNA G. ESHOO, California MIKE ROGERS, Michigan ELIOT L. ENGEL, New York SUE WILKINS MYRICK, North Carolina GENE GREEN, Texas Vice Chairman DIANA DeGETTE, Colorado JOHN SULLIVAN, Oklahoma LOIS CAPPS, California TIM MURPHY, Pennsylvania MICHAEL F. DOYLE, Pennsylvania MICHAEL C. BURGESS, Texas JANICE D. SCHAKOWSKY, Illinois MARSHA BLACKBURN, Tennessee CHARLES A. GONZALEZ, Texas BRIAN P. BILBRAY, California JAY INSLEE, Washington CHARLES F. BASS, New Hampshire TAMMY BALDWIN, Wisconsin PHIL GINGREY, Georgia MIKE ROSS, Arkansas STEVE SCALISE, Louisiana JIM MATHESON, Utah ROBERT E. LATTA, Ohio G.K. BUTTERFIELD, North Carolina CATHY McMORRIS RODGERS, Washington JOHN BARROW, Georgia GREGG HARPER, Mississippi DORIS O. MATSUI, California LEONARD LANCE, New Jersey DONNA M. CHRISTENSEN, Virgin BILL CASSIDY, Louisiana Islands BRETT GUTHRIE, Kentucky KATHY CASTOR, Florida PETE OLSON, Texas DAVID B. McKINLEY, West Virginia CORY GARDNER, Colorado MIKE POMPEO, Kansas ADAM KINZINGER, Illinois H. MORGAN GRIFFITH, Virginia 7_____ Subcommittee on Commerce, Manufacturing, and Trade MARY BONO MACK, California Chairman MARSHA BLACKBURN, Tennessee G.K. BUTTERFIELD, North Carolina Vice Chairman Ranking Member CLIFF STEARNS, Florida CHARLES A. GONZALEZ, Texas CHARLES F. BASS, New Hampshire JIM MATHESON, Utah GREGG HARPER, Mississippi JOHN D. DINGELL, Michigan LEONARD LANCE, New Jersey EDOLPHUS TOWNS, New York BILL CASSIDY, Louisiana BOBBY L. RUSH, Illinois BRETT GUTHRIE, Kentucky JANICE D. SCHAKOWSKY, Illinois PETE OLSON, Texas MIKE ROSS, Arkansas DAVID B. McKINLEY, West Virginia HENRY A. WAXMAN, California (ex MIKE POMPEO, Kansas officio) ADAM KINZINGER, Illinois JOE BARTON, Texas FRED UPTON, Michigan (ex officio) (ii) C O N T E N T S ---------- Page Hon. Mary Bono Mack, a Representative in Congress from the State of California, opening statement............................... 1 Prepared statement........................................... 4 Hon. G.K. Butterfield, a Representative in Congress from the State of North Carolina, opening statement..................... 6 Hon. Marsha Blackburn, a Representative in Congress from the State of Tennessee, opening statement.......................... 7 Prepared statement........................................... 9 Hon. Joe Barton, a Representative in Congress from the State of Texas, opening statement....................................... 10 Prepared statement........................................... 11 Hon. Pete Olson, a Representative in Congress from the State of Texas, opening statement....................................... 13 Hon. Cliff Stearns, a Representative in Congress from the State of Florida, prepared statement................................. 190 Hon. Henry A. Waxman, a Representative in Congress from the State of California, prepared statement.............................. 191 Hon. John D. Dingell, a Representative in Congress from the State of Michigan, prepared statement................................ 196 Witnesses Barbara Lawler, Chief Privacy Officer, Intuit.................... 14 Prepared statement........................................... 16 Answers to submitted questions............................... 201 Mike Hintze, Associate General Counsel, Microsoft Corporation.... 30 Prepared statement........................................... 32 Answers to submitted questions............................... 203 Scott Meyer, CEO, Evidon......................................... 56 Prepared statement........................................... 58 Answers to submitted questions............................... 206 Linda Woolley, Executive Vice President, Washington Operations, Direct Marketing Association, on behalf of Digital Advertising Alliance....................................................... 75 Prepared statement........................................... 77 Answers to submitted questions............................... 209 Allessandro Acquisti, Associate Professor of Information Technology and Public Policy, Heinz College, Carnegie Mellon University..................................................... 97 Prepared statement........................................... 99 Answers to submitted questions............................... 214 Pam Dixon, Executive Director, World Privacy Forum............... 112 Prepared statement........................................... 114 Submitted Material Majority memorandum, dated October 13, 2011, submitted by Mrs. Bono Mack...................................................... 197 UNDERSTANDING CONSUMER ATTITUDES ABOUT PRIVACY ---------- THURSDAY, OCTOBER 13, 2011 House of Representatives, Subcommittee on Commerce, Manufacturing, and Trade, Committee on Energy and Commerce, Washington, DC. The subcommittee met, pursuant to call, at 9:06 a.m., in room 2123, Rayburn House Office Building, Hon. Mary Bono Mack (chairman of the subcommittee) presiding. Members present: Representatives Bono Mack, Blackburn, Stearns, Bass, Harper, Lance, Cassidy, Guthrie, Olson, Pompeo, Kinzinger, Barton, Butterfield, Gonzalez, Matheson, Dingell, and Towns. Staff present: Jim Barnette, General Counsel; Brian McCullough, Senior Professional Staff Member, CMT; Jeff Mortier, Professional Staff Member; Gib Mullan, Chief Counsel, CMT; Andrew Powaleny, Press Assistant; Brett Scott, Staff Assistant; Shannon Weinberg, Counsel, CMT; Tom Wilbur, Staff Assistant; Alex Yergin, Legislative Clerk; Michelle Ash, Democratic Chief Counsel; Felipe Mendoza, Democratic Counsel; and Will Wallace, Democratic Policy Analyst. Mrs. Bono Mack. The subcommittee will now come to order. That makes it quiet down real quick. This is the fourth in our ongoing series of hearings on online privacy. When our work is finally finished, my goal is to point to a better way to protect consumer privacy and to promote e-commerce at the same time. In the end, this will benefit both American consumers and American businesses and preserve a strongly held belief all across our Nation and around the world that the Internet should remain free. The chair will now recognize herself for an opening statement. OPENING STATEMENT OF HON. MARY BONO MACK, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF CALIFORNIA When it comes to online privacy, at least for me, consumer attitudes and expectations are the bits and the bytes that matter the most. Do Americans really believe enough is being done today to protect their online privacy? Are they taking advantage of the many privacy tools currently available to them? Do they even know about these tools? If not, why not? And do these privacy features--for the most part--really work? Or is it time for Congress to finally legislate in this area? This is a hearing that I have been looking forward to for a very long time because it is the first time we tried to quantify what consumers expect and want. This is where the rubber hits the road with respect to online privacy. Today, there is no single Federal law expressly governing all data collection in the United States. Instead, there is a confusing hodgepodge of more than 300 State and Federal laws. Likewise, there is no single regulator to enforce all these privacy-related laws. Rather, an industry-specific approach has emerged whereby Congress has restricted consumer data collection and use by subject matter and provided the enforcement authority to the relevant Federal agency. As it stands today, the Federal Trade Commission arguably has the broadest jurisdiction to enforce general privacy violations under its Section 5 authority defining unfair or deceptive acts or practices. Since 2001 the commission has brought 34 cases against companies that failed to protect consumer information, including when companies fail to adhere to their own stated privacy policy. In recent years, both policymakers and stakeholders have expressed increasing concerns regarding the collection and availability of consumers' personal information online. Increased data collection and storage by Web sites, information brokers, direct marketers, ISPs, and advertisers have been driven in large part by the rapid decline of the associated costs of data processing and storage, while at the same time the value of consumer information has increased significantly. As we know, data about consumers' online behavior is being used today to target ads, increasing the likelihood of a sale of a particular product. Is this bad? Not necessarily. But is this process transparent enough and do consumers have enough information and tools available to them to be able to opt out of having their data collected and shared with unknown parties if they so choose? In many ways, this is the very root of the privacy issue. In response to growing concerns over online data collection and use--particularly regarding behavioral advertising--the online advertising community developed a self-regulatory model to provide consumers with notice and choice about advertisements delivered to them through behavioral targeting. The Digital Advertising Alliance developed and implemented these so-called ``about ads'' to provide consumers more information on why they are seeing a particular ad and to provide them a mechanism to opt out of future ads directed at them based on behavioral advertising. Later, the FTC took things a step further, proposing a number of principles to enhance consumer choices regarding privacy, including the concept of a ``do not track'' mechanism. Since the hearing in the last Congress on ``do not track'' legislation, the two most popular browser developers-- Microsoft's Internet Explorer and Mozilla's Firefox--have both designed and incorporated a ``do not track'' feature into their browsers. These features are user-controlled, so consumers must choose to turn them on to actually prevent tracking. Internet Explorer blocks content from sites that are on tracking protection lists and that could otherwise use the content to collect information. Mozilla's Firefox broadcasts its signal to each Web site a consumer actually visits, communicating the consumer's desire not to have his or her information collected. Clearly, the effectiveness of Mozilla's approach faces significant hurdles because every Web site that receives a signal from the consumer's browser must choose to honor their request, and currently there is no requirement that Web sites must do so. So what do consumers think about all of this? And when it comes to the Internet, how do we--as Congress and as Americans--balance the need to remain innovative with the need to protect privacy? Clearly, the explosive growth of technology has made it possible to collect information about consumers in increasingly sophisticated ways. Sometimes the collection and use of this information is extremely beneficial; other times, it is not. Despite everything that I have heard in our previous hearings, I still remain somewhat skeptical right now of both industry and government. Frankly, I don't believe industry has proven that it is doing enough to protect American consumers, while government, unfortunately, tends to overreach whenever it comes to new regulations. That is why I am so anxious today to hit the ``refresh key'' to learn the latest about consumer attitudes and expectations. And with that, I am happy to recognize the gentleman from North Carolina, Mr. Butterfield, for his opening statement for 5 minutes. [The prepared statement of Mrs. Bono Mack follows:] [GRAPHIC] [TIFF OMITTED] T4605.001 [GRAPHIC] [TIFF OMITTED] T4605.002 OPENING STATEMENT OF HON. G.K. BUTTERFIELD, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF NORTH CAROLINA Mr. Butterfield. Let me thank you, Chairman Bono Mack, for holding this very important hearing today. This is no doubt a very important issue to all of us. You spoke with me when we first started this subcommittee at the beginning of the session, and you told me of your keen interest in this issue, and I want to thank you for pursuing this hearing today. This forum provides an opportunity to look at expectations and attitudes about privacy from a consumer's point of view, and these witnesses that we have today, all six of them, will no doubt share with us some very valuable perspectives. The bottom line is that consumers want and expect privacy. Whether they are online, hopping from one Web site to another, or buying a few things at a chain grocery store, but sometimes, the privacy consumers expect isn't respected. For example, the information collection practices by online tracking firms for purposes of behavioral advertising aren't generally visible to consumers, and with those consumers that know it is happening don't always know how to achieve the level of privacy they want with the tools available to them. I understand that online advertising is big business. We all know that. Last year revenue from all types of online and advertising totaled $26 billion. This revenue helps to support free access to a lot of the online content consumers have come to expect. A small but growing segment of this revenue is coming from behavioral advertising, and I think most of us by now understand how that works, but let me nonetheless try to describe it in my own way. Imagine that I am in the market for a new car, let's say a Ford Explorer. Since I drive a 2000 Ford Explorer, let's say I am in the market for another Ford Explorer. I visit some online car comparison Web sites, and there are many. I visit the manufacturer's Web site, and then I decide to put off buying a car for another day or two. I go to the Web site of a daily newspaper, and all of a sudden there are advertisements on some of the pages for, you guessed it, a Ford Explorer. This happens through the installation of cookies on my computer, although some of the industry have resorted to more persistent and less visible tracking tools. Those cookies allow an advertiser to track my online activities across multiple Web sites and ultimately serve me up a tailored advertisement for a vehicle that I had previously expressed an interest. I appreciate the amazing business opportunities made possible by behavioral advertising. I understand that consumers are probably more likely to purchase goods and services after seeing an advertisement if it is relevant to their likes and interests. However, a leading academic study of consumer attitudes toward behavioral advertising found they don't want it. That study found that 66 percent of survey participants did not want tailored advertising. The number that didn't want tailored advertising jumped to 84 percent when participants were asked if it would be OK to base that tailoring off of tracking a consumer's activities across Web sites. The number jumped to 86 percent when participants were asked if it would be OK to base tailored advertising on offline activities, like using a discount card at the grocery store. One thing is clear, consumers aren't clamoring for tailored advertising, and they become more uncomfortable with it when asked about the sorts of tracking activities that enable it. The finding of another study on consumer attitudes sums it up best: 64 percent of participants agreed that someone keeping track of my activities online is invasive, while only 4 percent disagree. I will be clear. I support the online advertising industry, I have told them that, and respect the central role that ads play in supporting a free Internet ecosystem. However, I strongly believe that consumers have the right to know upfront when their online activities are being tracked, what activities are being tracked, and what that information will be used for as well as the option to opt out of having their information collected entirely, not just from receiving targeted ads. The online advertising industry has responded to privacy concerns by creating a self-regulatory program for behavioral advertising that provides consumers with Web sites that allow them to opt out from receiving behavioral advertising from companies, from participating companies. I appreciate this effort. I still feel strongly that a national baseline privacy law is the best way to ensure consumers have basic common sense and permanent rights over the collection and use of their information. Again, thank you, Madam Chair. I yield back. Mrs. Bono Mack. I thank the gentleman. And the chair recognizes the gentlelady from Tennessee, Ms. Blackburn, for 5 minutes. OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TENNESSEE Mrs. Blackburn. Thank you, Madam Chairman. I want to welcome all of our witnesses here today. We are delighted to have you here to participate in this discussion, and as we talk about tech policy and the virtual marketplace today, we are talking about government regulating the use of data and what that interface is going to be. As we worked through this issue, as the chairwoman said, this is our fourth hearing on this, I have decided that this data should be treated as a natural resource and that the DNA of this data is very powerful. It really is the lifeblood of a thriving Internet economy. So here are some questions for you. Should we allow our free market to explore this natural resource and learn to commercialize it, protect it, and respect it, or are we going to restrict it altogether? Why should government be the decision-maker? Government seems to know so little. It reacts slowly, works poorly, and I was reading a quote from one of my favorite economists, F. A. Hayek, Friedrich Hayek, who wrote the book, ``Road to Serfdom,'' and as I had to remind a college student recently, that is s-e-r-f-d-o-m, not s-u-r-f-d-o-m. Let me give you this quote: It is the curious task of economics is to demonstrate to men how little they really know about what they imagine they can design, end quote. I think that is very relevant to this discussion that we are having about privacy in the virtual marketplace. We don't know what consumers' true expectations are about online privacy. Consumers are different. Their expectations are not static, whether they are 2 or 20 or 82, and innovation moves 500 times faster than what we see government moving. And we don't need to pretend that government has all the answers. Our thriving tech and ad industries are infinitely more responsive and better equipped to meet consumer needs than a Federal Government program that is one size fits all. In my opinion, our foundation for policy should be flexible, encourage beneficial use of data, protect against real harms, empower people instead of government. I look forward to your testimony. And at this time, I yield to Mr. Barton of Texas. [The prepared statement of Mrs. Blackburn follows:] [GRAPHIC] [TIFF OMITTED] T4605.003 OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS Mr. Barton. Thank you, Ms. Blackburn. I am going to read the Third Amendment to the Constitution of the United States. It says, no soldier shall in time of peace be quartered in any house without the consent of the owner nor in time of war but in a manner to be prescribed by law. That is the Third Amendment to the Bill of Rights of the Constitution. If the Founding Fathers had had the Internet, instead of saying without the consent of the owner to put soldiers in your home, they would have said without the consent of the Internet user, they couldn't collect data. I want to put my support to what the ranking member, Mr. Butterfield, just said. I think it is time that the Congress of the United States pass a strong, general, explicit privacy protection law. We have approached the use of the Internet more from a marketing standpoint, that apparently each of us that uses the Internet individually exists to primarily be marketed and not as individuals that have guaranteed rights under the Constitution. Now, the Constitution does not explicitly guarantee the right to privacy, but they wouldn't have put the Third Amendment about putting soldiers in your home without your consent if they didn't at least implicitly understand that every person in the United States at that time had the right to privacy. Every week, Madam Chairwoman, we hear some other additional outrage about the abuse of the Internet, whether it is a super cookie that somebody can put on your computer without your knowledge and you can't get it off. Now, my staff yesterday told me that one of our leading Internet companies, Amazon, is going to create their own server in their own system, and they are going to force everybody that uses Amazon to go through their server, and they are going to collect all this information on each person who does that without that person's knowledge. I mean, enough is enough, Madam Chairwoman. We have over 240 million Americans who use the Internet every day. Each of those 240 million Americans are entitled, in my opinion, to the right to privacy. With that, I want to yield the balance of the time to Mr. Olson of Texas. [The prepared statement of Mr. Barton follows:] [GRAPHIC] [TIFF OMITTED] T4605.004 [GRAPHIC] [TIFF OMITTED] T4605.005 OPENING STATEMENT OF HON. PETE OLSON, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS Mr. Olson. I thank my colleague, the chairman emeritus from Texas. I thank the chairwoman. As we continue our hearings on online privacy issues, we need to ask ourselves two fundamental questions: Number one, when it comes to privacy protections in the online space, is there an issue industry can't correct on their own through self-regulatory initiatives? And, number two, if there is a problem industry can't correct without negatively impacting jobs, our struggling economy, and the growth and innovation we are seeing in the online space, can the government correct these problems? Today's hearing is important because we will hear directly from industry about what they are doing on their own to better provide transparency and privacy for customers online. One key advantage industry has over government is the ability to quickly adapt to changes in consumer demands and changes in technology. So I thank the witnesses for being here and look forward to their testimony. Yield back. Mrs. Bono Mack. I thank the gentleman, and now we turn our attention to our panel. STATEMENTS OF BARBARA LAWLER, CHIEF PRIVACY OFFICER, INTUIT; MICHAEL HINTZE, ASSOCIATE GENERAL COUNSEL, MICROSOFT CORPORATION; SCOTT MEYER, CEO, EVIDON; LINDA WOOLLEY, EXECUTIVE VICE PRESIDENT, WASHINGTON OPERATIONS, DIRECT MARKETING ASSOCIATION, ON BEHALF OF DIGITAL ADVERTISING ALLIANCE; ALESSANDRO ACQUISTI, ASSOCIATE PROFESSOR OF INFORMATION TECHNOLOGY AND PUBLIC POLICY, HEINZ COLLEGE, CARNEGIE MELLON UNIVERSITY; AND PAM DIXON, EXECUTIVE DIRECTOR, WORLD PRIVACY FORUM Mrs. Bono Mack. We have one panel of witnesses joining us today. Each of our witnesses has prepared an opening statement that will be placed into the record. Each of you will have 5 minutes to summarize that statement in your remarks. A special welcome to the Californians on the panel, recognizing it is 6:25 for your body clocks, we have a special appreciation for your appearance here today. But on our panel, first, we have Barbara Lawler, chief privacy officer at Intuit. Then we have Michael Hintze, associate general counsel at Microsoft. Then we have Scott Meyer, chief executive officer at Evidon. Our fourth witness is Linda Woolley, executive vice president of the Direct Marketing Association. Our fifth witness is Alessandro Acquisti, associate professor of information systems and public policy at Carnegie Mellon University. And our final witness is Pam Dixon, executive director at the World Privacy Forum. Good morning and thank you all again for coming. You will be recognized for 5 minutes. To keep track of the time, you have the timers in front of you, and green, yellow, red, self- explanatory, but please try to wrap it up when you get to yellow so when it hits red, your 5 minutes is up. Ms. Lawler, if you could pull your microphone forward and turn it on, you are recognized for 5 minutes. STATEMENT OF BARBARA LAWLER Ms. Lawler. Good morning, Chairman Bono Mack, Ranking Member Butterfield, and members of the committee, thank you for this opportunity to comment on consumer expectations around privacy. I am Barb Lawler, the Chief Privacy Officer at Intuit. I ask that my full statement be put into the record due to the time constraints. Intuit is well positioned to comment on consumer expectations about privacy. Over 50 million customers entrust us with their most personal financial information. We have been committed to innovating and implementing the safest and most responsible ways to work with consumers' financial information for nearly 30 years. Understanding our customers' expectations about online privacy and earning their trust is a major priority at Intuit. Intuit recently undertook a comprehensive research program that examined our customers' expectations about privacy. Our customers told us they expect Intuit to be an ethical steward of their information, applying it reasonably and with integrity for their benefit, while keeping it safe and secure. Our research strongly informed the development of our data stewardship principles. The unifying concept is that it is the customer's data, not ours. Our principles provide our customers with tools to understand how their data is being used and empower them with choices to control the use of their data. These fundamentals were based on a number of key insights we learned from our customer research project. First, we learned that data privacy matters to consumers. While many people do not pore over privacy policy statements, they do care deeply about privacy and how their data is used. Customers told us the fine print is often confusing and they prefer simple, easy-to-read explanations of how their data will be applied and used and serviced to their needs. Second, we found that customers want clear, relevant, and context-based choices that educate and empower them to control the use of their data. When a choice is presented in relevant context and coupled with a simple explanation, most customers felt empowered to make choices and then welcomed the use of their data. Finally, confidence increases when consumers clearly understand how their data can be applied to benefit them. In the absence of clear statement and principles, customers can worry that their data will be sold to third parties to benefit someone else or possibly harm them. When data-driven benefits are clearly outlined to consumers in responsible ways, their attitudes toward the use of their data significantly changed. Data-driven innovations can equip individuals and small business owners with new tools and insights that once were only available to much larger and more powerful companies. Our research showed a tremendous appetite for such products and services amongst both consumers and small business owners. For example, Intuit developed capabilities for small business owners to compare themselves along key metrics for similarly situated businesses in the same geography. Imagine if your local florist could compare his regular spending trends, soil, marketing or delivery trucks, anonymously with those of other florists in his region of the country. This kind of service involves the use of the customer's own data in a way that brings meaningful value to their lives and financial well- being. As we move toward a connected services cloud-based economy, it is vital that we develop clear and practical privacy frameworks that answer the concerns and expectations of consumers, regardless of the technology or the device they choose to use. Data stewardship represents our ongoing commitment to act as an accountable organization to our customers and to the public. We see data stewardship as a clear and practical privacy policy framework for the 21st century. We all must work toward the shared goal of protecting consumers while maintaining data-driven innovation that improves consumers' lives in trusted, real, and fundamental ways. Thank you again for this opportunity. We look forward to working together with you and the committee toward this important goal. [The prepared statement of Ms. Lawler follows:] [GRAPHIC] [TIFF OMITTED] T4605.006 [GRAPHIC] [TIFF OMITTED] T4605.007 [GRAPHIC] [TIFF OMITTED] T4605.008 [GRAPHIC] [TIFF OMITTED] T4605.009 [GRAPHIC] [TIFF OMITTED] T4605.010 [GRAPHIC] [TIFF OMITTED] T4605.011 [GRAPHIC] [TIFF OMITTED] T4605.012 [GRAPHIC] [TIFF OMITTED] T4605.013 [GRAPHIC] [TIFF OMITTED] T4605.014 [GRAPHIC] [TIFF OMITTED] T4605.015 [GRAPHIC] [TIFF OMITTED] T4605.016 [GRAPHIC] [TIFF OMITTED] T4605.017 [GRAPHIC] [TIFF OMITTED] T4605.018 [GRAPHIC] [TIFF OMITTED] T4605.019 Mrs. Bono Mack. Thank you, Ms. Lawler. Mr. Hintze, you are recognized for 5 minutes. STATEMENT OF MICHAEL HINTZE Mr. Hintze. Chairman Bono Mack, Ranking Member Butterfield, and honorable members of the committee, my name is Mike Hintze, and I am an associate general counsel at Microsoft. Thank you for the opportunity to share Microsoft's perspective on the important issue of consumer attitudes about privacy. We appreciate the leadership the subcommittee has shown on this topic, and we are committed to working with you and others to protect consumer privacy while promoting innovation. The diverse products and services through which Microsoft engages with consumers gives us a unique perspective on the privacy discussion. We have a strong commitment to privacy because we recognize that consumer trust is critical to the adoption of online services. Our goal at Microsoft is to build trust with consumers by providing them with information about what data is being collected and how it is being used, offering choices about the collection and use of that data and ensuring that their data is kept secure. In our experience, there is no ``silver bullet'' solution to privacy. This is because privacy means different things to different consumers, and there is a wide range of privacy sensitivities among individuals. Consumers also have different privacy expectations depending on the context in which their data is collected and used. Finally, as technology evolves, customer expectations about privacy often evolve with it. These challenges require a multifaceted approach to addressing consumer privacy. In our view, this approach should focus on four key elements. The first element is company best practices. At Microsoft, we have a deep and longstanding commitment to privacy in how we design our products and services and how we operate our business. We believe in adopting practices that provide consumers with information and choices to enable them to exercise more control over their privacy. Let me provide some examples of how consumers have responded to that approach. Over the past 5 months, key privacy Web sites offered by just one division of our company averaged over 2 million sessions per month. In an average month, more than 435,000 consumers access our advertisement choice Web site. This site provides information about personalized online advertisements and how consumers can opt out or use other controls. Approximately 20 percent of those consumers perform some action while visiting that site, in most cases opting out of personalized ads. As these numbers make clear, when we provide consumers with information and meaningful controls, many will use them. The second element is technology tools that empower users to protect themselves as they interact with other sites across the Internet. For example, we were the first major browser manufacturer to respond to the FTC's recent call for a persistent browser-based ``do not track'' mechanism. In Internet Explorer 9, we offer this feature which we call tracking protection. It allows consumers to decide which third- party sites can receive their data and filters contents from sites identified as potential privacy threats. But no company can meet consumer privacy expectations on its own. So the third element that can contribute to the protection of consumer privacy involves baseline rules of the road established by both industry self-regulation and legislation. Industry self-regulation in particular plays an important role in fostering privacy solutions and can offer flexible approaches for protecting privacy in many different contexts. We also have long-supported Federal baseline privacy legislation as a means of setting rules that can protect consumers without hampering innovation. Nevertheless, self-regulatory efforts are generally better than prescriptive legislation to keep pace with evolving technologies. One recent example of this is the self-regulatory program for online behavioral advertising, which has advanced both transparency and consumer choice. Among other things, this program includes a standard icon that is prominently displayed in or next to online ads. By clicking on the icon, consumers can access information about the delivery of the ad and choose to opt out from receiving behavioral advertising. Finally, the fourth element is consumer education. In order for all of these elements to work, consumers need to understand the protections and tools available and the practices of companies with which they are interacting. That is why, in addition to providing information ourselves, we have also partnered with consumer advocates and government agencies to develop educational materials on consumer privacy and data security. In conclusion, addressing consumer privacy expectations requires the collaborative effort of individual companies, industry groups, consumer and privacy advocates, government, and consumers themselves. We must work together to meet these challenges without hindering innovation. Thank you, and I look forward to answering your questions. [The prepared statement of Mr. Hintze follows:] [GRAPHIC] [TIFF OMITTED] T4605.020 [GRAPHIC] [TIFF OMITTED] T4605.021 [GRAPHIC] [TIFF OMITTED] T4605.022 [GRAPHIC] [TIFF OMITTED] T4605.023 [GRAPHIC] [TIFF OMITTED] T4605.024 [GRAPHIC] [TIFF OMITTED] T4605.025 [GRAPHIC] [TIFF OMITTED] T4605.026 [GRAPHIC] [TIFF OMITTED] T4605.027 [GRAPHIC] [TIFF OMITTED] T4605.028 [GRAPHIC] [TIFF OMITTED] T4605.029 [GRAPHIC] [TIFF OMITTED] T4605.030 [GRAPHIC] [TIFF OMITTED] T4605.031 [GRAPHIC] [TIFF OMITTED] T4605.032 [GRAPHIC] [TIFF OMITTED] T4605.033 [GRAPHIC] [TIFF OMITTED] T4605.034 [GRAPHIC] [TIFF OMITTED] T4605.035 [GRAPHIC] [TIFF OMITTED] T4605.036 [GRAPHIC] [TIFF OMITTED] T4605.037 [GRAPHIC] [TIFF OMITTED] T4605.038 [GRAPHIC] [TIFF OMITTED] T4605.039 [GRAPHIC] [TIFF OMITTED] T4605.040 [GRAPHIC] [TIFF OMITTED] T4605.041 [GRAPHIC] [TIFF OMITTED] T4605.042 [GRAPHIC] [TIFF OMITTED] T4605.043 Mrs. Bono Mack. Thank you very much. Mr. Meyer, you are recognized for 5 minutes. STATEMENT OF SCOTT MEYER Mr. Meyer. Thank you, Chairman Bono Mack, Ranking Member Butterfield, and distinguished members of the subcommittee. My name is Scott Meyer. I am the CEO and founder of Evidon. I appreciate the opportunity to appear before you today to talk about consumer expectations regarding online interest-based advertising and the important role that my company, Evidon, plays in meeting those expectations. We founded Evidon specifically to promote transparency, consumer control, and accountability across the online advertising ecosystem. Our technology is at the heart of the industry's self-regulatory program, which is designed to give consumers greater control, transparency, and understanding of interest-based or behavioral ads. The core component of the program is the display of a distinct advertising option icon on interest-based ads and on Web sites where data is collected and used. Our platform, which is called Evidon InForm, is a leading example of privacy by design in the actual real world. It displays the advertising option icon in ads and on Web pages. When consumers click on the icon, they can easily find out more information about the ad. This includes information about the companies who are involved in delivering the ad to them as well as the all- important ability to opt out. I brought some slides with me today which are on the screens and are also in my written testimony, so if I could have the first slide, please, so you can see the platform in action. Here you can see an ad with the advertising option icon along with the text ad choices in the upper left-hand corner. You might also see the same icon in the bottom of a Web page. When consumers click on the icon, an overlay window appears with more information and the links you see displayed here on the next slide. In the 12 months since the launch of the advertising option icon program, Evidon has delivered over 85 billion of these in-ad notices through our platform. We currently provide notice in nearly 20 billion online ads each month, and on an average day, ads with Evidon-powered notice reach more than 80 million U.S. Internet users. One click on the more information and opt-out options on the slide takes you to the next page, which is the Evidon Web page shown here. And on this page, consumers can see which companies have been able, which companies have been involved in the data collection and use, and they have the ability to find out more as well as, importantly, to opt out. Evidon InForm also provides reporting to the companies to show them how consumers have interacted with this platform, and those reports are endorsed as a standard method for providing evidence of compliance with the industry's self-regulatory program. Though Evidon itself does not collect any consumer information, our anonymous logs show that the advertising option icon has been clicked 4.5 million times since the launch of the program. That has resulted in 730,000 opt-out requests being sent through the Evidon platform alone. In 2010, we commissioned a study by Millward Brown to better understand what consumers want and what they expect when they click on the icon. We found that 76 percent of consumers who clicked on the icon and interacted with the Evidon notice experience that you see here wanted to see all of the companies involved in targeting ads to them and find out more information. We also found that this was good for business, that 67 percent of consumers when they went through the Evidon notice experience felt more positive and in greater control of their advertising and felt more positive toward the brands that were involved in these ads. Together, these metrics support the proposition that consumers want more than a simple on or off switch, and they want substantive notice and control regarding the companies responsible for targeting the ads to them. Finally, if I could go to the next slide, in addition to implementing the advertising option icon, we have led the way with the creation of the Open Data Partnership. Open Data, a key feature is the preference manager you see here and in my written testimony which enables consumers to see and edit the information that companies have collected about them as well as the all-important ability to opt out. The metrics I have laid out today and more fully developed in my testimony reflect an order of magnitude shift in the availability of how information is used and collected and the choices that consumers are able to make. This is important because the information is no longer buried in privacy policies. Now it is presented to the consumer in clear, specific, and easily understood ways directly at the point of engagement. And ultimately, the success of this program should be judged by the degree to which these access tools are produced in a credible fashion and the extent to which these tools are offered to the consumer and not simply the rate at which consumers opt out. One last point I will make is that this hearing is all about consumer expectations. The one thing I think everyone here can agree on is that consumers have come to expect free online content. The targeted advertising that we are talking about today plays an essential role in supporting the vibrant, free, and open Internet that consumers have come to expect and to enjoy. Thank you again for inviting me to testify, and I look forward to answering your questions. [The prepared statement of Mr. Meyer follows:] [GRAPHIC] [TIFF OMITTED] T4605.044 [GRAPHIC] [TIFF OMITTED] T4605.045 [GRAPHIC] [TIFF OMITTED] T4605.046 [GRAPHIC] [TIFF OMITTED] T4605.047 [GRAPHIC] [TIFF OMITTED] T4605.048 [GRAPHIC] [TIFF OMITTED] T4605.049 [GRAPHIC] [TIFF OMITTED] T4605.050 [GRAPHIC] [TIFF OMITTED] T4605.051 [GRAPHIC] [TIFF OMITTED] T4605.052 [GRAPHIC] [TIFF OMITTED] T4605.053 [GRAPHIC] [TIFF OMITTED] T4605.054 [GRAPHIC] [TIFF OMITTED] T4605.055 [GRAPHIC] [TIFF OMITTED] T4605.056 [GRAPHIC] [TIFF OMITTED] T4605.057 [GRAPHIC] [TIFF OMITTED] T4605.058 [GRAPHIC] [TIFF OMITTED] T4605.059 [GRAPHIC] [TIFF OMITTED] T4605.060 Mrs. Bono Mack. Thank you, Mr. Meyer. Ms. Woolley, you are recognized for 5 minutes, and please make sure your microphone is on and close to you. STATEMENT OF LINDA WOOLLEY Ms. Woolley. Thank you, Madam Chairman. Ranking Member Butterfield and members of the committee, thank you for the opportunity to speak. My name is Linda Woolley, and I am Executive Vice President of Washington Operations for the Direct Marketing Association, a global trade association of thousands of businesses and nonprofit organizations that use and support multi-channel direct marketing tools and techniques. Today, however, I am pleased to testify on behalf of the Digital Advertising Alliance, known as DAA, and to report to the subcommittee on the substantial progress of our self- regulatory program for online behavioral advertising. The program which you heard about from previous witnesses builds on a long tradition of successful self-regulation in marketing and advertising and provides transparency and controls so that consumers can exercise their individual choices regarding online behavioral advertising. It is appropriate that the subcommittee is devoting a series of hearings to online issues because it is impossible to overstate the economic importance of the Internet today. I think one of your members, I think Mr. Butterfield actually, mentioned earlier that the online behavioral advertising industry in this year alone represents a $30 billion economy, and that is growing. Advertising helps to fuel the Internet economic engine. According to a new report from the Direct Marketing Association, based on the results of the first half of this year, expenditures in 2011 on online marketing in the United States are expected to total over $30 billion. These revenues support e-commerce and subsidize a rich variety of content and services that consumers and businesses rely upon and value. Behavioral or interest-based advertising is an essential form of online advertising. It delivers content to consumers based on interests that are inferred from data about online activities. Consumers are likely to find interest-based advertisements much more relevant than the random messages that they would otherwise receive, and advertisers and publishers also derive great value from relevant advertising. In general, the data used for interest-based advertising is not personally identifiable, except when consumers choose to share personally identifiable information. Nevertheless, the advertising industry recognizes and respects that some consumers prefer not to receive such advertising. In 2009, as was already mentioned, the Federal Trade Commission endorsed industry self-regulation for online interest-based advertising. Following the road map that was set out by the Commission, the online advertising industry, on its own initiative, developed a self-regulatory principles for online behavioral advertising that cover consumer education, enhanced notice of data practices, innovative mechanisms, choice mechanisms, data security, sensitive data protection, consent for retroactive material changes, and enforcement. Our self-regulatory principles are comprehensive, but yet they are flexible enough to respond to the complex and ever- evolving online advertising ecosystem. More importantly, they represent consensus in the online advertising community and are supported by all of the major industry stakeholders in the Internet ecosystem, as my colleague from Microsoft previously mentioned. Since publishing the principles, the advertising industry has put its money where its mouth is and developed a program that is second to none. Hundreds of companies have invested now millions of dollars to give consumers transparency about online data collection practices and meaningful choices about how data is collected and used. I want to mention that the DAA program includes all 15 largest online advertising networks and that the brands that participate in this program are household names. To mention a few: Google, Microsoft, Yahoo!, GM, American Express, Bank of America, Disney, Procter & Gamble, Target, Wal-Mart, AT&T, Verizon, Comcast, Time Warner Cable, Honda, Hyundai, Toyota, Dell, HP, the list goes on, but I think you get the sense of how all of these companies understand that this is a critical program, a critical and credible program that they, too, want to be part of. My written testimony describes our achievements in greater detail, but I would like to highlight a few key elements for the subcommittee. First, the advertising option icon shown in this program is a key feature of the program, and as mentioned earlier, this is what consumers see if they click on it, they get in one or two clicks and are able to opt out. The self-regulatory program: Second, the DAA program is effective and easy to use for consumers. When the ad is delivered is at the exact moment that consumers are likely to want to take action and make a choice about their preferences, and finally, the program is backed up by strong enforcement, managed through both DMA and the Council of Better Business Bureau. Thank you very much for the opportunity to testify. [The prepared statement of Ms. Woolley follows:] [GRAPHIC] [TIFF OMITTED] T4605.061 [GRAPHIC] [TIFF OMITTED] T4605.062 [GRAPHIC] [TIFF OMITTED] T4605.063 [GRAPHIC] [TIFF OMITTED] T4605.064 [GRAPHIC] [TIFF OMITTED] T4605.065 [GRAPHIC] [TIFF OMITTED] T4605.066 [GRAPHIC] [TIFF OMITTED] T4605.067 [GRAPHIC] [TIFF OMITTED] T4605.068 [GRAPHIC] [TIFF OMITTED] T4605.069 [GRAPHIC] [TIFF OMITTED] T4605.070 [GRAPHIC] [TIFF OMITTED] T4605.071 [GRAPHIC] [TIFF OMITTED] T4605.072 [GRAPHIC] [TIFF OMITTED] T4605.073 [GRAPHIC] [TIFF OMITTED] T4605.074 [GRAPHIC] [TIFF OMITTED] T4605.075 [GRAPHIC] [TIFF OMITTED] T4605.076 [GRAPHIC] [TIFF OMITTED] T4605.077 [GRAPHIC] [TIFF OMITTED] T4605.078 [GRAPHIC] [TIFF OMITTED] T4605.079 [GRAPHIC] [TIFF OMITTED] T4605.080 Mrs. Bono Mack. Thank you, Ms. Woolley. Dr. Acquisti, you are recognized for 5 minutes. STATEMENT OF ALESSANDRO ACQUISTI Mr. Acquisti. Thank you, Chairman Bono Mack, Ranking Member Butterfield, and members of the subcommittee, it is my honor to be here today. My name is Alessandro Acquisti. I am an associate professor at the Heinz College, Carnegie Mellon University. I have been studying the economics of privacy for about 10 years. Surveys have found repeatedly evidence of widespread privacy concerns among U.S. consumers. Most Americans believe that privacy is a right, and this right is under threat. They express concerns over the way businesses collect personal information and favor government intervention over self- regulation as a means to protect privacy. Consumers are especially troubled by tracking technologies. A vast majority of individuals express elevated concerns about the usage of their location data and significant distrust towards targeted advertising. However, other studies have found discrepancies between privacy attitudes, what people say in surveys, and actual behavior. Individuals like sharing information online with friends and seem willing to trade privacy for convenience and personalized services. Now, consumers' willingness to share personal information is not in contradiction with their desire for privacy. However, behavioral research has shown that consumers face significant challenges in navigating complex privacy trade-offs in the marketplace in ways which reflect their self-interests. One problem highlighted by research is that consumers often do not know what happens to their data or are provided confusing, sometimes even misleading information about their data. Choice and notification regimes are unlikely to solve the problem. By the time the consumer learns how to deal with a privacy sensitive technology, often a new and more intrusive technology has already appeared, catching the consumer unprepared. Furthermore, if we assume that consumers will actually read the privacy policies, studies have shown that the opportunity costs for the U.S. economy or the time spent actually reading those policies will be about two-thirds of a trillion dollars a year. These problems are magnified by the proliferation of consumer tracking across multiple sites and progresses in data mining, which make it possible to re-identify individuals and make sensitive inferences from data which seemed anonymous. In a recent experiment at Carnegie Mellon, we predicted individuals' Social Security numbers simply starting from their faces. Individuals and consumers are at a loss here because they cannot predict how the innocuous information they reveal today will be combined to produce more sensitive inferences tomorrow. A second problem relates to systematic biases, mistakes people make when trading off privacy and disclosure. Consider instant gratification bias. Human beings tend to value the present more than the future and therefore underappreciate the negative consequences of current actions. While the benefits of information disclosure are often immediate, the costs of disclosures happen in the future. Therefore consumers may disclose data today that puts them at great risk tomorrow. Consider also the paradox of control. At CMU, we did experiments and found that increasing control of a person's information can decrease concern about privacy but paradoxically increases individuals' propensity to disclose sensitive information to strangers, even when the objective risks are actually increasing. So, in a way, more control, less privacy. In other experiments, we found that individuals can be manipulated to disclose more or less information with subtle changes to the interfaces of Internet services. There is evidence that online companies have used similar strategies to nudge users toward more disclosure. So self-regulatory solutions are unlikely to solve this kind of a problem. In a way, this research indicates that there is no complete free choice on the Internet. What I mean is that even before the first visitor has arrived to a Web site, the engineers of the Web site have made design decisions that will impact the future behavior of the visitor and in fact also how much the person will reveal. So privacy is becoming less about control over your information and more about the control that others can have over you if they have your information. In economic terms, the notion that as consumers, we receive free online services is only partially accurate. The other side is that in reality information doesn't pay the bills at the end of the month. The free services consumers get are paid by consumers by purchasing goods at prices which they are nudged to accept based on information firms have about them. Now for the good news. Industry and academic laboratories across the United States have also developed other technologies which can protect privacy without sacrificing firms' ability to innovate. I am referring to privacy enhancing technologies, in particular through the type of technologies which work by anonymizing individual data in ways which are both effective, in the sense that reidentification becomes very hard, and efficient, in the sense that transactions can still be completed. This means that we can still tap economics as a natural resource without sacrificing consumer privacy. Therefore, a critical question for Congress is how to create incentives so that we can foster the progress and the deployment of those technologies. Thank you, and I look forward to answering any questions. [The prepared statement of Mr. Acquisti follows:] [GRAPHIC] [TIFF OMITTED] T4605.081 [GRAPHIC] [TIFF OMITTED] T4605.082 [GRAPHIC] [TIFF OMITTED] T4605.083 [GRAPHIC] [TIFF OMITTED] T4605.084 [GRAPHIC] [TIFF OMITTED] T4605.085 [GRAPHIC] [TIFF OMITTED] T4605.086 [GRAPHIC] [TIFF OMITTED] T4605.087 [GRAPHIC] [TIFF OMITTED] T4605.088 [GRAPHIC] [TIFF OMITTED] T4605.089 [GRAPHIC] [TIFF OMITTED] T4605.090 [GRAPHIC] [TIFF OMITTED] T4605.091 [GRAPHIC] [TIFF OMITTED] T4605.092 [GRAPHIC] [TIFF OMITTED] T4605.093 Mrs. Bono Mack. Thank you very much. And Ms. Dixon, you are now recognized for 5 minutes. STATEMENT OF PAM DIXON Ms. Dixon. Thank you. Thank you for the invitation to come here today. I appreciate it very much. Just three quick things. First, I think we have heard today that from industry and academics, that consumers just don't know what the risks are out there, and we all drive cars, but we are not all mechanics. Likewise, consumers are on the Internet, but they are not all technical experts. This is not a surprise to any of us. It is so frustrating when we get consumer phone calls, and there is a solution for them, but they don't know about it. And we talk to them about it, but that is just one consumer that we have helped. There are millions and millions of consumers in this particular boat. How do we help all these consumers who are unaware of these technical risks that we face online? It is a very difficult challenge, but the one thing that surveys are very clear on is that consumers are completely almost unaware of the risks they face. It would be very challenging for a consumer to simply keep up with everything that is going on between a tracking cookie and a this and a that. But secondly, as Alessandro has talked about, consumers do not understand the privacy trade-offs that they are looking at, when they are looking at privacy policies and icons. This is a deep problem that is not going to be solved by pretty much anything. This is a human nature problem. So a consumer goes to a Web site, they see a privacy policy or they see a seal or an icon. What do they think? They think that their information is not collected, that their information is not sold, bartered, et cetera. This is simply not usually the case, but this is what consumers believe. This is a fundamental perception issue that is going to need to shift for consumers to be able to take adequate protective actions for themselves. So, as a result of these structural imbalances on the Web, we support legislation that will protect consumers. However, the reality check is that we don't see any likelihood of that happening in the near future. So what is a consumer to do? What is to happen now? What are we faced with here? I think that what we need to do is look at self-regulation. If self-regulation is going to be the way forward, we need to reform it. There are a lot of structural issues with self-regulation today. Self-regulation today bears many of the hallmarks that self-regulatory efforts for privacy in the past have also shared. I have included a checklist of 15 items that a credible self-regulatory regime should have. Among these include greater transparency; a defined and permanent role for consumers; composition of a board, a governing board that includes a majority of consumer involvement. All of these things would go far to improve the current self-regulatory schemes in play today. So we advocate for greatly improved and reformed self- regulation. I think it is an important thing to look at. The second thing is that we think that there needs to be a broader scope of discussion. It is very frustrating for me when I hear discussions about online advertising because when we get calls from consumers, they are not talking about what ads they have been shown, not usually; it is pretty rare. They are talking about their health data that has been used against them, that an employer has found. They are talking about when they have gone to a Web site, they have signed up for a survey, and then they found out later that that information was sold because they just didn't read the privacy policy. We have got to look at the broader array of privacy issues. Some of these issues do include advertising because advertisings are part of the collection mechanism online. That is the role we need to look at. So when we are talking about opt-outs, it is great that there is so much more activity with opt-out and that the opt-out is better. We support that, and I think it is terrific. It is. It really is. It is much, much better than it was even 2 years ago. But what are consumers getting the right to opt out of? Are they getting the right to opt out of tracking or being shown an ad? We need to deliver opt-outs that confer fundamental choices to consumers, like opting out of tracking. So this is what we think is really important to focus on. And then just a quick word. Many of the self-regulatory regimes today focus on very narrow aspects of online privacy. So, for example, if a consumer with a health condition was to go to a Web site to research AIDS or cancer or Alzheimer's for an aging parent, that consumer's information can be tracked and then used in ways that may be counter to their expectations. This is exactly the kind of thing that we need to work with. Does it harm a person to be shown an ad about Alzheimer's? That is debatable. In some cases, I think young teen girls being shown weight loss ads; that can be harmful. But other, you know, a red car or a blue car; I am not so worried about that. I am worried about the collection of the data, the tracking, and the reuse. So that is my statement, and thank you for your time and attention. [The prepared statement of Ms. Dixon follows:] [GRAPHIC] [TIFF OMITTED] T4605.094 [GRAPHIC] [TIFF OMITTED] T4605.095 [GRAPHIC] [TIFF OMITTED] T4605.096 [GRAPHIC] [TIFF OMITTED] T4605.097 [GRAPHIC] [TIFF OMITTED] T4605.098 [GRAPHIC] [TIFF OMITTED] T4605.099 [GRAPHIC] [TIFF OMITTED] T4605.100 [GRAPHIC] [TIFF OMITTED] T4605.101 [GRAPHIC] [TIFF OMITTED] T4605.102 [GRAPHIC] [TIFF OMITTED] T4605.103 [GRAPHIC] [TIFF OMITTED] T4605.104 [GRAPHIC] [TIFF OMITTED] T4605.105 [GRAPHIC] [TIFF OMITTED] T4605.106 [GRAPHIC] [TIFF OMITTED] T4605.107 [GRAPHIC] [TIFF OMITTED] T4605.108 [GRAPHIC] [TIFF OMITTED] T4605.109 [GRAPHIC] [TIFF OMITTED] T4605.110 [GRAPHIC] [TIFF OMITTED] T4605.111 [GRAPHIC] [TIFF OMITTED] T4605.112 [GRAPHIC] [TIFF OMITTED] T4605.113 [GRAPHIC] [TIFF OMITTED] T4605.114 [GRAPHIC] [TIFF OMITTED] T4605.115 [GRAPHIC] [TIFF OMITTED] T4605.116 [GRAPHIC] [TIFF OMITTED] T4605.117 [GRAPHIC] [TIFF OMITTED] T4605.118 [GRAPHIC] [TIFF OMITTED] T4605.119 [GRAPHIC] [TIFF OMITTED] T4605.120 [GRAPHIC] [TIFF OMITTED] T4605.121 [GRAPHIC] [TIFF OMITTED] T4605.122 [GRAPHIC] [TIFF OMITTED] T4605.123 [GRAPHIC] [TIFF OMITTED] T4605.124 [GRAPHIC] [TIFF OMITTED] T4605.125 [GRAPHIC] [TIFF OMITTED] T4605.126 [GRAPHIC] [TIFF OMITTED] T4605.127 [GRAPHIC] [TIFF OMITTED] T4605.128 [GRAPHIC] [TIFF OMITTED] T4605.129 [GRAPHIC] [TIFF OMITTED] T4605.130 [GRAPHIC] [TIFF OMITTED] T4605.131 [GRAPHIC] [TIFF OMITTED] T4605.132 [GRAPHIC] [TIFF OMITTED] T4605.133 [GRAPHIC] [TIFF OMITTED] T4605.134 [GRAPHIC] [TIFF OMITTED] T4605.135 [GRAPHIC] [TIFF OMITTED] T4605.136 [GRAPHIC] [TIFF OMITTED] T4605.137 [GRAPHIC] [TIFF OMITTED] T4605.138 Mrs. Bono Mack. Thank you, Ms. Dixon. And now I will recognize myself for 5 minutes for questioning. I would like to start with Mr. Meyer. In your testimony, you state that since October 2010, your icon has been featured in over 85 billion ads, that consumers have clicked the icon 4.5 million times, and that consumers have submitted 730,000 opt-out requests. That is not a real high success rate I would think. On your slide, I noticed the icon, and I toured Intuit a little while ago, and they had some pretty fantastic technology that tracked the eyeballs as they followed around the screen. What kind of testing did you do of your icon and clicking on that icon, is that evident enough for the consumers, or is this not quite there yet as being as obvious to consumers as it could be? Mr. Meyer. Sure. So I think that we do a lot of testing, and the challenge with the size of the icon in the ad is that we are working with a small amount of real estate, and we have to balance the notification about online tracking with the ability for the ad to actually perform, and we have to enable marketers to continue to meet their needs. The icon was created through a cross-industry and cross-functional group that included academics and industry, and it was tested reasonably well. And very importantly, I would end with the icon is not an opt-out mechanism. The icon is an education mechanism. One of the important features is the ability to opt out, and in terms of the performance rates in terms of the clicks relative to the performance of overall online advertising, it is very consistent; general online advertising ads click rates generally are under 1 percent anyhow. Mrs. Bono Mack. Can you--and let me clarify a little bit about what I am saying about the success rate of that, whether that is driven by your design or whether it is driven by consumer expectations is, I think, the point of the whole hearing, but on all of these different cookies, can you briefly explain the difference between tracking, session, persistent, flash cookie, super cookie, and if there is absolutely no technological answer on the horizon that could wipe all of those things out? Mr. Meyer. So the technological answers exist today for almost all the different types of cookies. Mrs. Bono Mack. Even a super cookie? Mr. Meyer. Super cookies are the one piece that we at Evidon think should not be used for any form of online advertising. That is not what they are designed for. We don't think there is any legitimate purpose in online advertising for super cookies. All the other forms of cookies that you allude to, that you mention, are easily accessible. The most basic are HTML cookies that are used for what are called session and permanent cookies, and those can be erased through the opt-out mechanism that we provide. We also own and operate a service called Ghostery, which is one of the most popular privacy protection tools for consumers. More than 4 million people have downloaded it. That completely blocks advertising. It essentially creates the on-off switch that is envisioned by ``do not track.'' Mrs. Bono Mack. So Ghostery is a lot stronger than if I just go into my own browser and I hit delete cookies? Mr. Meyer. That is true. Mrs. Bono Mack. If I can go to Ms. Lawler, thank you for your testimony, and for me, something that has struck me over all of these years is the migration of what the content industry has been faced with, that it is impossible to compete against free. And I know that Intuit has tried, they have now Mint.com, so you have both the Quicken and the Mint. Can you explain, are consumers understanding the difference? Are they enjoying the free program better? Are they migrating to free because they are getting some trade-offs? Can you explain briefly your experiences with the two? Ms. Lawler. Yes. So let me start and say there is--Quicken is actually our flagship product. That is where Intuit started nearly 30 years ago, and so that is downloadable software or CD-based software that you run on your desktop, so you pay for that. I think what you are asking is where the business model goes and where consumers are going is to an online-based service. In the case of Mint.com, Mint is free, and so you are not paying for that. You can actually use some of the tools on Mint without even signing up for it. When you go to the Mint page, it is very simple, easy, clear to understand what the value is, what you can do in terms of managing your budget, tracking expenses. How that gets paid for is through the option for you to get offers. Mrs. Bono Mack. But my question specifically is, are you finding that consumers are going toward the free site rather than the--either the downloading, you buy the CD-ROM at---- Ms. Lawler. They are moving over time. I don't have the specific numbers with me. I would be happy to go find that information for you and bring it back to the committee at a later date. What we are finding is that there is a gradual move to online. Some of that is technology based, so those who are more comfortable with mobile technologies. It is also somewhat generational, so as we see young people more comfortable with using free online services or any online service, there is definitely a trend toward online, but it is very slow and gradual, so small percentages over the years. Mrs. Bono Mack. All right, thank you. My time has expired. Mr. Towns, you are recognized for 5 minutes. Mr. Towns. Thank you very much, Madam Chair. Let me begin with you, Ms. Dixon. I understand that there was a study in California of Internet users, and of course, could you please talk about that just for a moment in terms of what happened? Ms. Dixon. Yes, I believe you are referring to the Chris Hoofnagle and Jennifer King study that---- Mr. Towns. In 2008? Ms. Dixon. Yes. Mr. Towns. Yes, right. Ms. Dixon. It was a groundbreaking study. What they did was they went and surveyed online users and asked them what they perceived when they saw privacy policies online. And their findings were remarkable because the misperceptions were just profound. So, for example, a majority of consumers, when they saw a privacy policy, believed that that meant that the site would not collect information about them, even collect. Users also believed that they would have the right to sue if the site did things with their data that they did not want, and these were just among a few of the many misperceptions that consumers had about privacy policies when they saw them, and consumers, very few consumers understood that when, for example, they opted out--there were questions about, you know, various cookies and what not. Consumers just did not understand that when they opted out with an opt-out cookie, that it didn't mean that they were not going to be tracked; it just meant that they were not going to be given display ads based on tracking. So there was a profound, deep, serious misunderstanding and misperception of what privacy policies actually mean when they are on a site. Mr. Towns. Thank you very much. Dr. Acquisti, do you think privacy policies serve any useful purpose for the consumers? Mr. Acquisti. They do. I see them as necessary, not sufficient, conditions in the sense that we do need privacy policies because we need to inform and educate the consumers. They are not sufficient, however, because of the type of challenges I was describing in my testimony. Mrs. Bono Mack. Excuse me one second, if the gentleman will suspend. I am asked to notify you, while there are protestors in the hallway, we don't expect it to get out of hand, but if it does, please exit that door. Mr. Towns. You don't have to worry about it, I am here. I am here, don't worry about it. Mrs. Bono Mack. There you go. I feel so comfortable now. Thank you, please continue. Mr. Towns. Yes, you may continue. Mr. Acquisti. So the challenges I was mentioning, just to summarize, are, one, the problem of--economists call it bounded rationality. We don't have unlimited time to think about all the possible consequences. Even if we read a policy, we may not think through what it really implies. Some policies are written in ways which are not easily understood. One study a few years ago reported that half of privacy policies on the Internet are not understood by about 60 percent of Internet users. Plus there is also this additional challenge that if we take these policies seriously, and we really believe that users, after reading privacy policies, do not know what happens to their data, the opportunity cost is enormous. Mr. Towns. Thank you very much. Mr. Hintze, I followed your company in terms of I know you have a privacy officer. Basically what is the role of that privacy officer? Mr. Hintze. Well, we have a number of people at Microsoft focused on privacy. We have got our chief privacy officer, who is responsible for the overall governance of privacy programs within Microsoft, and that includes training for our employees, whether they are developers or marketers or human resources folks. It includes the development of our standards and guidelines that we provide around marketing, around product development, et cetera. It includes building in privacy checkpoints and privacy training and privacy standards into our business processes. So our chief privacy officer oversees all of that. He also oversees, not necessarily direct reporting relationships, but kind of a dotted-line relationship to all the people in Microsoft who are focused on privacy, and we have over 40 full-time people focused on privacy and another 400 who have it as a defined part of their job, and those people are embedded in every business and operations unit of the company. Mr. Towns. Short of strongly regulating business, which would probably do more harm than good, what can we do to encourage other companies to consider privacy issues very carefully. Mr. Hintze. As I mentioned in my testimony, I think that there are roles for multiple entities in protecting privacy from government, individual companies, to academics and privacy advocates as we have represented on the panel here today. I think individual companies like ourselves can lead by example by adopting strong privacy practices. We have made those internal standards that I talked about for developing products and services and building privacy protections into those; we have made those publicly available so that others can see them and take advantage of the work that we have done over the years in developing those. Privacy advocates clearly have a role in helping to educate consumers and bring to the attention issues that come up and nudging industry in appropriate ways to do the right thing. And government has a role through enforcement when people are breaking existing laws through using your own bully pulpit to educate your constituents and playing the oversight role that this committee has done so well for so many years. Mr. Towns. Thank you so much. We salute you and your company. Mrs. Bono Mack. The Chair now recognizes Mr. Blackburn for 5 minutes. Mrs. Blackburn. Mr. Meyer, I want to come to you. I know that Evidon is partnering with Akamai? Am I saying that correctly? There was a Wall Street Journal article on it saying that you would handle, what is it, trillions of interactions, a trillion interactions a day. So let's talk about the consumer. Now, with your platform, tell me what this means for the consumer. How does it empower them? How does it allow them to continue to protect or have the ability to protect what I term the virtual you, their presence online? So just in about 15, 20 seconds, can you give me that synopsis? Mr. Meyer. I will do my best. So Akamai powers more than a trillion Internet transactions every day. The Evidon technology, which you saw in my slides and in my testimony, will now be built directly into that platform, which will take the process of Web site operators of all forms, and it will take the process of complying with the program and giving consumers that view into their virtual you. It will take what is now a reasonably complex legal and technical process, and it will simplify to literally a few clicks and a short one. Mrs. Blackburn. So you are saying your ability is simplicity and transparency and access. Is that what I am hearing you say? Mr. Meyer. That is the goal of us and Akamai getting together for this. Mrs. Blackburn. That is what I wanted to know. I was unclear. The B2B is fine, but I want to know what you are going to do for the consumer. How are you going be able to protect their privacy? Ms. Woolley, I want to ask you pretty much the same thing. Do you think that industry can do a better job than government in addressing these privacy concerns that you all have rolled out with the Ad Choice campaign? Ms. Woolley. Yes, I absolutely think that industry can do a better job than government. The main reason is that we are nimble, and we can move quickly. We have rolled out this program in a year. And we are now rolling out further iterations of the program, which include migration of that icon overseas and migration of that icon to mobile devices. To do that in less than a year is something that government could not do. Mrs. Blackburn. In your testimony, you mentioned protecting data in terms of the cost to jobs, cost to the economy. And would you just elaborate on that just a tiny bit? Ms. Woolley. Sure. There have been several studies that show that if the United States were to adopt a privacy regime along the lines of what Europe has adopted that the cost---- Mrs. Blackburn. ``Do not track.'' Ms. Woolley. ``Do not track.'' And do not use cookies. The cost to our economy would be about $33 billion a year. Mrs. Blackburn. OK. Thank you. I have a series of yes-and-no questions that I wanted to go through. So if you all will listen, and I will have you raise your hand for yes and your hand for no. OK. Do you believe that a government mandated ``do not track'' as the FTC has endorsed has gone too far and would be too much to address the privacy problem? Yes, if you believe ``do not track'' goes too far, raise your hands. OK. So I have got four on that. And no. One no. And the rest abstain. So you are going to be a no, too. I like decisiveness here. Second question: Do you believe that government regulations on commercial use of de-identified metadata or anonymous data sets pose significant challenges to the First Amendment? So do you believe that government regulations on commercial uses of de-identified metadata or anonymous data sets pose significant challenges to the First Amendment. Yes? OK. We have got two yeses. No? We have got two noes. And the rest are thinking. Congress and the Federal Government in general have a low approval rating. We admit that. Yes or no, do you think consumers--here is the question, yes or no, this is what I want to hear from you all: Do you think consumers trust government to know best how to protect their privacy through rules, mandates, legislation, or no? Do they trust the government to do it, or do they trust you? Yes, if they trust government. Just two of you would trust the government. No, they don't trust the government. They would trust industry, one. Like these hands kind of waving out there. Do you believe that new privacy regulations could have an adverse impact on industry competition that would hinder smaller firms, some of the innovative firms? Yes. Do you believe new privacy regulations could have an adverse impact on industry competition that would hinder smaller firms or no? Yes if you believe it is going to have a---- We have got two on the yes side. No, not going to impact. One no. I am going to let you off the hook because my time has expired. Thank you. Mrs. Bono Mack. The chair thanks the gentlelady and now recognizes Mr. Lance for 5 minutes. Mr. Lance. Good morning to all. This is very interesting, and I have learned a great deal. To Ms. Lawler, do you know what percentage of your customers view and manipulate the privacy options that you offer them? Ms. Lawler. We have a couple of different ways that we approach privacy choices. If you think about the traditional choices that most companies have offered for the last several years, which would be in the marketing space--so around phone calls, e-mails, snail mail and so on--it is a fairly small percentage. I don't have all of the numbers with me. I can tell you that in our email marketing, specifically that our opt-out rates are at about the industry average, but I would be happy to research that more with our technicians. Mr. Lance. What is the industry average? Ms. Lawler. It is about 0.05 to 0.1. It depends upon the type of ad and the context. Mr. Lance. Thank you. Thank you very much. To Professor Acquisti, your testimony includes an interesting point that I am not sure has been raised before. You call it the paradox of control. In other words, the more privacy choices a consumer has, the more likely that consumer is to have a false sense of security. Does this argue against more granular controls, or if you would elaborate on your views on that? Mr. Acquisti. It was a paradoxical result. To explain it with an analogy, other studies have shown that when you ask people to wear seatbelts, they--some of them may start driving faster. It is probably overconfidence. You feel more protected, you end up taking more risks. So we believe that this is what is happening in the results we found is you make consumers feel more in control, the ones deciding with the agency of deciding whether or not to disburse information, which in a normative sense is a good thing, the unexpected consequence can be that this overconfidence can lead to the consumer taking more risk. What I mean by more risk, and I have to be very careful, is compared to a condition where there was no such feeling of control, the subjects in the control ended up revealing more sensitive information to more strangers. Mr. Lance. So how would you overcome that challenge? Mr. Acquisti. Well, it is central what kind of control do we give, and whether control solves all of the problems. So the results of the study suggest that merely giving granular control may not solve consumer decision-making problems if the control leads to bad decisions later on. It is not a statement about we should never give control, of course. It is about what matter, what type of control we give and whether by giving control, do we feel that we have solved privacy problems. The results of the experiment, such as the answer to the last question, is no. Mr. Lance. Thank you very much. To Mr. Hintze from Microsoft, you state that consumer attitudes to privacy can evolve over time--I am sure that is true--noting how consumers were originally hesitant to share photos and videos online, but now regularly do so. Have you seen any evidence where consumers are evolving in the opposite direction to restrict the collection and sharing of their information online with commercial operators? Mr. Hintze. I am not sure I can point to any particular statistics that would show that, but I certainly think that we see more of an awareness of privacy than we did a few years ago. I agree with the comments that Ms. Dixon made that people don't always fully understand all of what is going on, and it is always a challenge to get the right information in front of consumers, but you do see a heightened awareness, and that is in large part due to the work of privacy advocates and many of the journalists. And we have all seen the Wall Street Journal series of articles and other publications that have been focused on privacy. Whether that translates into people making different choices, that is hard to quantify, and I am not quite sure how we would do that. But we certainly see more people looking at our privacy Web pages now than we have in the past, and it is certainly something that we are cognizant of and want to make sure we are responsive to those concerns. Mr. Lance. Thank you very much. My thanks to the panel. I yield back the remainder of my time. Mrs. Bono Mack. The chair now recognizes Mr. Gonzalez for 5 minutes. Mr. Gonzalez. Thank you very much. I appreciate it. I apologize for not being here for the testimony. I had the opportunity to review written statements that were submitted. Again, I wish I could have been here for the testimony because it is incredibly important to have you here today and to share your viewpoints and your own experiences. My first observation, of course, is information gathering, dissemination, protection of same and so on, and how important that is to different industries. So I guess I want to acknowledge that in this informational age and how we market, how we promote products and services in our system is incredibly important, and things have been revolutionized. And the fact that you can now target audiences, which I think is a tremendous advantage--it makes a more effective way for those individuals in this country that have different business enterprises to reach their customers. And you know what happens when we reach customers? And that means we in fact do create wealth for many, and we create jobs in this country. So I want to acknowledge the importance of information gathering, what it means, and that many of the services that are provided today, as we say free, really constitute a trade. You will receive some sort of service through the Internet one way or another in return for allowing the person that is providing you this service or benefit the opportunity to basically establish some sort of consumer DNA. And that is the world that we live in. And I think, as I came in, one of the things that Mr. Hintze was pointing out is really whether the consumer is aware of the information that they are providing and its use. And we have struggled with this in the past, even years ago when I was on financial services, as to what an affiliate would share. But what it comes down to--Mr. Hintze, I was reading your testimony, and it is very interesting because you have different points. But one of them of course is technological tools. And that is that you, with Microsoft, could provide the consumer and the user of the Internet with the ability to basically not allow any kind of tracking to establish this consumer identity or DNA. Is that correct? Mr. Hintze. That is right. In the testimony, I briefly mentioned the features we built into Internet Explorer 9 in response to the call for ``do not tracking'' mechanisms that are browser-based. And if I could expand on that slightly, what Internet Explorer 9 does with the tracking protection feature is that it allows consumers to turn on this feature and import any tracking protection lists that they want, which would be a list of third party sites that may be tracking individuals across the Internet. And when you turn this on, it blocks those connections to those third parties. So, for example, if you went to a major news site and there were 10 third parties providing content on that site, which is not an uncommon scenario--a couple of them may be advertising networks. One may be a stock ticker; one may be an embedded video, all coming from different sites. If one or more of those sites were listed on a tracking protection list that a user had installed through this feature, that call just wouldn't be made, and that would cut off any ability for that third party to collect any information because it is blocking the content coming down, and it is blocking any other connection going back up to that third party. So the nice thing about that is it is technology neutral. It doesn't matter if they are tracking through a cookie or through logging IP addresses, or even one of these super cookie mechanisms, the connection just isn't made. It is kind of a sledgehammer approach. It blocks the content, too, but it is very effective. In contrast to some of the other ``do not track'' mechanisms that have been mentioned during the opening statement of Ms. Bono Mack, she mentioned that the Mozilla approach sends a signal to the receiving Web site that says ``do not track.'' The problem is there has been no definition or common understanding as to what a Web site is supposed to do in response to that signal. And we are working with the World Wide Web consortium and with Mozilla and with privacy advocates to try to provide some definition around that, so that there are additional choices for consumers that we support. But in the interim, the approach that we have taken is effective and doesn't rely on the receiving third party to make any choices or decisions. Mr. Gonzalez. Technology has created, we want to say it the dilemma or the challenge, so technology would be the answer. And I only have a few seconds. But let me get this straight. What you are able to provide the Internet user is going to be where they select the third party sites. This is not going to be a generic or universal application where I, Charley Gonzalez, I could just have this feature, and I don't have to identify a particular third party; it would just be all encompassing. It doesn't matter what contact or who I contact or who I connect with, I wouldn't have the ability to have that feature. It is all contingent on identifying the third party site. Mr. Hintze. You can download a list from an entity you trust; a privacy advocacy organization could publish a tracking protection list. Any organization could publish one. You could create one yourself, but as you mentioned, you would have to know. But you can rely on an organization to do that. And there are some out there that are very comprehensive. They have many, many third parties on there, that if you import that, it would block those third parties. So you don't have to do that sort of leg work yourself. You could rely on a trusted entity that you trust. Mr. Gonzalez. You are on the right track. Again--Madam Chair, if I could have a few extra seconds---- Mrs. Bono Mack. There will be a second round if we can. Mr. Gonzalez. I think we are going to have a second round, so if you can wait my turn again. Mrs. Bono Mack. The chair now recognizes Mr. Guthrie for 5 minutes. Mr. Guthrie. Thank you, Madam Chair. Thank you for coming. Thank you for being here today. Just a couple of questions as we move forward. Advertising has always been about behavior. All of us are behavior advertisers. I want to send pieces of mail to people who vote. So we always get the voter rolls out, and we go through. I know it is a public record, but it is private behavior that is made public for us to move forward and see. But what we have to do is to try to balance now that things are in hypermode with the technology. If you make a phone call, somebody knows where you are, they can find out where you are at all times. If you use your discount card, that is why they give you a discount; they want you to swipe it so they can track your behavior shopping so they know how things are going. But the question is we have got to try to balance. I know that Bing, Yahoo, Google, any search engine wants to outdo the other one. They want to be faster, better because they want me to go to it, because the more people that go to it, the more valuable their advertising space is, just like if I want to watch a Kentucky basketball game for free, they have got to take a break every 8 minutes to show a commercial, so I can watch it for free. And that has happened on the Internet, but the difference is they can individualize it, I guess. So I guess my point is, and I guess Dr. Acquisti, since you studied this--and you said you didn't think it would affect the economic behavior of this; we talked about the $33 billion of job loss. Ms. Blackburn asked a question. You said you didn't think it would affect it. If the search engines aren't getting the revenue from the advertising to let me to use it for free and they are competing against each other to make it better, so it is far better than it was a year ago, what is going to drive that innovation if the advertising dollars--if we follow the European model, what is going to drive the innovation or continue to be free to me, or will we have to start paying for it like when we did debit cards? We took a vote here to change the debit cards. Now the people who voted for it are complaining about the fact that banks are charging for it. So, I mean, that is the question what I want to ask you. How is it not going to affect--how is it going to work economically if we do the European style system? Mr. Acquisti. Definitely. So to clarify the point I was making in the testimony was not that there will be no effects, but rather I was pointing out that the so-called free goods we get online are free only if you don't consider the fact that we end up paying for them as consumers through a different channel as we purchase the goods, which are offered online. Mr. Guthrie. Like watching a sports game on television for free. You have got to sit through the commercial to watch it. Mr. Acquisti. That was the point I was trying to make. Mr. Guthrie. Or you can do Pay-Per-View and watch it without commercials. But a lot of us don't want to pay for a search engine. We just want it. And so who is going to pay for it if we don't do it? Is the model that you have to pay individually, like you have to sign up for a search engine, like $10 a month or something as opposed to getting it for free? How is it going to work if we don't have advertising? Mr. Acquisti. Actually, if I may, the alternative I don't believe is between no advertising and advertising. First of all, this is in parentheses, free content existed even before the age of behavior advertising. In fact, we don't know exactly how much of the free content now available online is due to behavior advertising versus quote-unquote more traditional. Mr. Guthrie. I only have a minute and a half. So maybe we can catch you in the second round. I wanted to ask Ms. Dixon. I had an uncle or great uncle who had early-onset Alzheimer's. He died in his 50s. I am 47 now. So if I go online and maybe I don't know this and I Google early-onset Alzheimer's, what do I need to fear that I don't know, because if I Google that right now, what could happen-- because you were saying that--I mean what would happen if I went in and search-engined that, what could happen to me that I don't know about? Ms. Dixon. In a search engine, I don't think you have so much trouble because most of the ads are contextual, and it is really not that big of a deal. Maybe you will find a rogue actor advertiser, who is kind of a low-hanging fruit and out of the ballpark and not playing by the rules. But in general, where you really need to be concerned is when you go to--a couple of different things. There are three scenarios. One, you go to a scammy site that is just built based on fear, and someone slapped up a Web site, and there are all sets of third parties on it, and they are gathering up any information you are filling into a form, and they are selling it on to a direct marketing list. That happens more often than I even want to describe. It is a terrible thing when it happens to anyone. That is what you need to fear. The second thing would be if you go to let's say a very legitimate Web site. It is a legitimate business. There are some very large Web sites that you could go to that focus on health care and type in your query. What can happen is that you simply begin to see advertisements that are focused on early Alzheimer's. That is really not that big of an outcome in my book. That doesn't bother me that much. What bothers me more is that there may be a number of third party entities on that page. It could be advertisers; it could be other kinds of third parties. It could be Facebook. It could be all sorts of different third parties now in this new kind of digital technology. Mr. Guthrie. What can they do to me? Ms. Dixon. Well, that is the thing. What they can do is they can take that information that you have given and merge it with other information, and that becomes a part of a profile about you or the computer you are using. If you have registered for the site, it becomes part of your profile. Mr. Guthrie. And somebody would use that to do what that would be negative? Ms. Dixon. They can sell it. They can sell it outright. It happens every day. Mr. Guthrie. So somebody can say, ``He must have Alzheimer's'' because you Google that? Ms. Dixon. Or he is interested in Alzheimer's information. Mr. Guthrie. And that is bad. OK. Ms. Dixon. Or has Alzheimer's, correct. Mrs. Bono Mack. The gentleman's time has expired. The chair recognizes Mr. Butterfield for 5 minutes. Mr. Butterfield. I think we are all well aware that a lot of free content available on the Internet is made possible by advertising, all types of advertising, not just behaviorally targeted advertising. I think consumers understand that they get free content thanks to the ads that surround that content. But what they often don't understand is that the spaces where those ads are placed might sometimes be watching them. As one privacy expert who has looked at consumer attitudes and behavior regarding privacy has put it, consumers accept the idea that ads support free Internet content but do not expect data to be part of that exchange. Many in the Internet tracking industry argue that steps to empower consumers to decide for themselves whether they want to allow tracking of their online activity will kill free Internet content. I, for one, do not buy this argument. I don't buy it because reported advertising revenue numbers don't support it. The last figure that we have been able to track showed that revenue from behaviorally targeted ads was $925 million in 2009. That is almost a billion dollars. This figure was reported in a large 2010 marketing industry blog post. This is the only easily accessible piece of information that we have been able to find that specifically breaks out revenue from these ads. In 2009, overall revenue from every type of Internet advertising was $22 billion, almost $23 billion. Now, the first question is open to anyone who wishes to respond. Can any of you provide more recent figures that clearly break out the amount spent on behaviorally targeted ads last year, not on display advertising generally or all online advertising, but specifically on behaviorally targeted ads? Do any of you have any data that you feel you can provide. As I used to say when I was a judge, let the record show that no one responded. Ms. Woolley. Let me just respond that according to the FTC's definition of what online behavioral advertising is, one of our partner trade associations in the DAA, the Internet Advertising Bureau, found that over 80 percent of the ads that are delivered are OBA or online behavioral advertising. And actually, I think, sir, the revenue number is significantly higher than the blog post that you cited. DMA has done several studies more recent than 2009 with global insight, and I think the number is actually substantially higher. Mr. Meyer. If I can add to that, I can follow up and get you the specific estimates. I think it is in the several billion dollars. And the other important thing to think about, there are two other important points. The first one is the definition of what is behavioral, and that is why a legislative approach could be so dangerous, because it could be anywhere from a reasonably small percentage to a number as high as 70 to 80 percent. That is the first piece. And the second one is that this is the fastest growing part of the online advertising industry. So if you break out the different pieces, the data-driven behavioral and network advertising is growing at the fastest rate inside of an overall very fast-growing industry, along with video advertising. Ms. Woolley. I guess one other point I would like to make here, too, is that there was a conversation about targeting individuals. I represent the Direct Marketing Association. Targeting individuals is not a new phenomenon. It is something that--the Direct Marketing Association is close to 100 years old. That is something that has gone on for close to 100 years. And direct marketing methods and techniques are part of the curriculum of almost every university that has a direct marketing program. So these are actual techniques and methodologies that are taught in university. So the thing that the Internet has done is make the process faster and more nimble. But the techniques and the methods are not new. Mr. Butterfield. All right. That is helpful. Thank you. I yield back. Mrs. Bono Mack. I thank the gentleman. The chair recognizes Mr. Kinzinger for 5 minutes. Mr. Kinzinger. Thank you, Madam Chair. Thank you all for coming out and for participating. I will be the first to say that I think government needs to put an end to needless regulations that do little to protect the consumer or protect jobs. But I am not convinced personally that ``do not track'' legislation is the right approach. I do have some serious concerns that without privacy protection, consumers can lose confidence in the online free market. Each of you represents responsible companies that are working to inform consumers in their privacy choices online. But in the end, you don't represent the bad actors that could potentially come and undermine your efforts. So my first question is to all of you, and we can do the hand raise thing. You all basically answered this, but I want to see for myself: Do you think the committee should pass privacy legislation to ensure the bad actors don't undermine your efforts? Who is a yes on that? And who is a no? So two noes. I am also deeply concerned by what a Stanford study that appeared in the National Journal yesterday said. The study shows that Web sites are unknowingly leaking email addresses, user names, and other personal information to ad networks. If consumers had the choice and were aware of this transfer of personal data, I don't believe the mass majority of consumers would support Web sites selling this personal information to outside parties. Should consumers be required to opt-in to allow Web sites to share this personal information? And let me also expand on that. I am not talking about a 30-page privacy statement that nobody reads. I don't think I have ever read a 30-page privacy statement in my life. Something that should clearly be presented before it is being shared. So should opt-in be a requirement? I guess we can start right to left---- Ms. Dixon. It is really complicated. Mr. Kinzinger. Well, let's try to keep it very short if we can. Ms. Dixon. It is a challenging question to answer in a black-and-white manner. If there is a first party relationship, that is one thing, but if we are using first fair definitions of first party, first party fine. Third party, that is a whole different thing. It really needs to opt-in for third party. Mr. Kinzinger. Doctor? Mr. Acquisti. I actually agree exactly with the statement. Mr. Kinzinger. Anybody else have anything? Ms. Woolley. I have an opinion, and it is a complicated question. The wonderful thing about the icon is that--which is over there; I don't think you were in the room when I mentioned that--is that it gives the consumers a choice about opting out of those third parties who are on a site and not allowing collection and use of the data. And it is easy. It is transparent. It is ubiquitous at this point. You can't be on the Internet without seeing the icon. Mr. Kinzinger. You are more of an opt-out versus an opt-in. Ms. Woolley. Well, there are lots of reasons that--the Stanford--and I don't even want to call it a study. It was the musings of a graduate student. It was not peer-reviewed. There was no methodology. That is all that it was. There are great reputable studies out there, but that was not one of them. As my colleague from Microsoft mentioned earlier, there are lots and lots of reasons why third parties are on Web sites. Some of them are there to serve ads. Some of them are there to collect information, but others are there to deliver content, like sport scores and stock scores. So if you are absolutely blocking third parties or you are collecting opt-ins for absolutely everything for third parties, the consumer has no--I mean, we go to CNN.com. We know what we want. And if I have to permit every single one of them, I don't know what I don't know. Mr. Kinzinger. Any of the other three of you? Mr. Meyer. I would like to go back to something you said about ``do not track'' and the need for legislation. The reason I said no is because it already exists in the form of the Federal Trade Commission Act. Just this morning, the Federal Trade Commission settled with a company for deceptive trade practice. And the situation you described tends to be firmly in line with those deceptive trade practices, and that is the right role of government---- Mr. Kinzinger. Thank you. I am going to have to cut you guys off because I have one more question. I have an update from a major telecom provider which says they are going to start sharing user information with local companies based on their physical address on an opt-out. They are also going to start recording and sharing URLs of Web sites visited with actual, physical locations of that users wireless device. It does say there will be no information that is personally identifiable, but after seeing the study, which you call into question but I have some interest in, I am not sure that it is possible. Should sharing a user's geolocation data with ad networks require a clear concise opt-in from the consumer? If we could go--do you three have anything, first? Mr. Hintze. I would be happy to address that. We operate a phone operating system as well as many of our other things in addition to our ad business, and our approach has been that we believe that the collection of precise geolocation information should require an affirmative consent on behalf of the user. Mr. Kinzinger. Does anyone disagree with that? Ms. Woolley. The one thing I do want to say is if information as you are describing it right here is aggregated, that geolocation that is aggregated and not specific to an individual could be used for all sorts of business decisions, not---- Mr. Kinzinger. We are talking about marrying that with a specific individual, though, in this case. But thank you all for your generosity. I yield back. Mrs. Bono Mack. The chair recognizes Mr. Dingell for 5 minutes. Mr. Dingell. Madam Chairman, thank you. I commend you for this hearing. These questions are yes-or-no questions. To all witnesses, starting at your left--rather at your right and my left, is it your understanding that interest-based advertising supports much of the free content of the Internet, yes or no? Beginning with Ms. Lawler. Ms. Lawler. Yes. Mr. Hintze. Yes. Mr. Meyer. Yes. Ms. Woolley. Yes. Ms. Dixon. Yes. Mr. Dingell. No disagreement. Further, is it your understanding that the consumers expect much of the content they consume online to be free, yes or no? Ms. Lawler. Yes. Mr. Hintze. Yes. Mr. Meyer. Yes. Ms. Woolley. Yes. Mr. Acquisti. No. Mr. Dingell. So no disagreement on that. Do you believe that all consumers have the same view of interest-based advertising, yes or no? Ms. Lawler. No. Mr. Hintze. No. Mr. Meyer. No. Ms. Woolley. No. Mr. Acquisti. No. Mr. Dingell. So we have agreement there. To all witnesses, is it fair to say that imposing ridged privacy requirements on interest-based advertising would have a drastic effect on the way consumers currently experience the Internet, yes or no? Ms. Lawler. Can you ask the question again, please? Mr. Dingell. Is it fair to say that then imposing rigid privacy requirements on interest-based advertising would have a drastic effect on the way consumers currently experience the Internet, yes or no? Ms. Lawler. I am going to say probably. Mr. Hintze. I know you asked for a yes or no, but I think it depends on what you mean by rigid. We think there can be some baseline privacy requirements that are perfectly consistent with the business models and innovation that we are talking about. Mr. Dingell. I will not object to any of you panel members giving additional response for the purposes of the record because that is fair to you. Mr. Meyer. Mr. Meyer. I would agree with Mr. Hintze that it depends on the level of the rigidness, but the potential for it having a negative impact is unnecessarily high in my opinion. Mr. Dingell. Ma'am? Ms. Woolley. Well, I have to give you the lawyer answer, too, which is, it depends. Because I think our program imposes very rigid requirements, and I think the way we have done it does not adversely affect the Internet. Mr. Dingell. Our next two panel members, please? Mr. Acquisti. My answer is not necessarily. Ms. Dixon. My answer is not necessarily. However, I am not sure that is the only thing we should be focusing on. Mr. Dingell. So I guess that is a maybe. To all witnesses, do you believe that the current industry efforts to protect consumer data privacy are sufficient, yes or no. Ms. Lawler. Yes, but we can do more. Mr. Hintze. Generally, yes. Mr. Dingell. If you please, Mr. Meyer? Mr. Meyer. We are off to a very good start, but we need the support of, in particular, of this committee and the Federal Trade Commission to accelerate the acceptance. Ms. Woolley. Could you repeat the question? Mr. Dingell. Do you believe that current industry efforts to protect consumer privacy are sufficient? Ms. Woolley. I believe that they are sufficient, but I also know that our program is evolving, so we have the ability to evolve and get stricter as times change. Mr. Acquisti. Unfortunately not, but I believe there are industries, privacy technologies which could definitely help. Ms. Dixon. At the current time no, however I believe that the efforts could be improved through self-regulatory reform, such as involving consumers, having independent bodies overseeing the efforts and other things that would---- Mr. Dingell. I have a minute and 3 seconds left. Do you believe that such efforts can be improved, or do you believe that Congress should pass data privacy legislation? Ms. Lawler. We believe that there is a significant opportunity for businesses to come together and lead more and do more in a self-regulatory approach. If Congress were to act, it would need to be a principle-based approach that is flexible and nimble and is not overly prescriptive. Mr. Hintze. I think current efforts can be improved, and they are being improved, and I think that there is also a role for baseline privacy legislation. Mr. Meyer. I don't think it is necessary, but if there were any type of legislation, it would need to provide safe harbor for existing problems. Ms. Woolley. I do not think that legislation is necessary, and I think our table includes many wonderful American companies, including GM, and I would invite everybody here to be part of that program because our table is open. Mr. Dingell. Sir? Mr. Acquisti. I believe it can be improved and the legislation can foster the deployment of technologies based on public/privacy interaction focused on privacy and data sharing. Ms. Dixon. Legislation will help and improvement of the current regimes will help as well. Mr. Dingell. Now, again, to all witnesses. I am intrigued by the concept of ``do not track'' list. Is it advisable for the Federal Government to mandate a ``do not track'' solution that prevents people from being tracked by the multiple devices that they use to access the Internet, yes or no? Starting with you Ms. Lawler. Ms. Lawler. We don't believe that it makes sense for the government to mandate a ``do not track'' approach. We think it needs to evolve in terms of tools and technology. Mr. Hintze. We agree with the comments of Ms. Lawler. The FTC's done a good job of encouraging industry to move forward, but the industry has responded in an active way. Mr. Meyer. Legislative mandates for technology we don't think are the right approach, especially because it would extinguish a very vibrant competitive entrepreneurial market that provides these tools today that continue to evolve and compete with each other. Ms. Woolley. People need education. They need to know what is going on. They need to be make their own choices. Mr. Acquisti. It may not be the ideal solution, but it is better than no solution Ms. Dixon. We do support ``do not track'' legislation. Mr. Dingell. I note I am out of time, Madam Chair. Mrs. Bono Mack. The chair recognizes Mr. Olson for 5 minutes. Mr. Olson. I thank the chairwoman. And I want to welcome the witnesses and thank you for giving us your time and expertise. And just for the record, my neighbors' kids were not out in the lobby early this morning. They are still back home in Texas, as far as I can tell. And my first set of questions are going to be for you, Ms. Woolley, and I want to follow up on the line of questions from Ms. Blackburn from Tennessee about the economics of privacy. And I am familiar with the Digital Advertising Alliance's effort to develop the advertising icon so proudly displayed over here, which provides consumers with notice and choice about ads being delivered to them through behavioral targeting. Many of the big companies have adopted the icon, but as you know, small business drives job creation in our economy. So can you elaborate more on how you have made the icon available to our small businesses for free? Ms. Woolley. Thank you for raising that. It is actually a great story. We have made the icon available for free. If you have less than $2 million of revenue that is derived from online behavioral advertising and you are a small business, you can get the icon for free. We also have a program with one of the ad networks that deploys the icon on small business Web sites. And the thing that that does is it enables those small businesses to get revenue from the ad networks because their ads are--they are now targeted ads. So it enables small businesses not only to get revenue from the businesses that they are in but from the advertising world as well. So it is actually a great program. Mr. Olson. That is my feeling as well. Would you say that the icon provides a competitive advantage to companies that adopt it? To put it another way, are companies competing for business based on privacy features? Ms. Woolley. Actually, that is very interesting. When we launched the icon, we did not anticipate it being a trust seal of sorts. We thought that it was really just a consumer notice and choice mechanism, but it has actually wound up being a trust seal. And companies are competing based on the fact that this is a symbol that consumers can see; they know, they know that there are principles and enforcement behind it, and they wind up trusting that site much more than they would have otherwise. Mr. Olson. So it actually is becoming competitive and driving---- Ms. Woolley. Absolutely. Mr. Olson. Finally, in your testimony, you mentioned one of the major benefits of industry self-regulation is its ability to respond quickly to changes in technology and business practices. And some have raised concern that data collected for advertising purposes could be hypothetically used as a basis for health insurance or credit eligibility decisions, but we don't have any actual examples or cases of this happening. But DAA is still going to address these concerns and help to expand your guidelines to clarify these kinds of practices that would be prohibited. Can you elaborate more on that initiative? Ms. Woolley. Yes, sir. You actually have stolen a little bit of our thunder, because in a couple of weeks, we are going to be making the announcements that all of the companies that comply with the DAA program will be prohibited from making eligibility decisions, any kinds of eligibility decisions based on data that is advertising and marketing data. So I know that the chairman of the Federal Trade Commission is fond of saying, ``If you buy a deep fryer online, then you will be denied health insurance.'' And we want to make it abundantly clear that that kind of decision is not acceptable. It is not part of the program. If you do that and you are part of the program, you will be thrown out of the program and referred to the FTC. Mr. Olson. I didn't mean to steel your thunder. That is not what I intended to do. This is a final question for all witnesses. Because of my time, I will probably have to make it yes or no questions. It is my understanding that the FTC has received a very wide range of comments concerning consumer attitudes and behavior when it comes to privacy. My interpretation of that wide range in comments: There is no clear consensus. Some consumers feel more strongly than others about online protections. And so my question for all of you, starting to the left and work to the right there, is there any hard data that you are aware of that demonstrates the level of discomfort or the percentage of consumers who are willing to forego the benefits of free content online in order to avoid being tracked, yes or no? Starting at the end with you, Ms. Lawler. Ms. Lawler. I don't have any specific information from our consumer or customer studies that would indicate that particular type of action. Mr. Hintze. It is hard to interpret a lot of the studies out there because, as Dr. Acquisti pointed out, there is a discrepancy between what people say and what they do. So you can find a lot of studies that say people are very concerned about privacy, and I believe there is something behind that. But in terms of the tradeoffs, that is harder to quantify. Mr. Meyer. We haven't seen that research. It is the same juxtaposition between what consumers say and what they do. But it is something we are actually looking at Evidon right now. Ms. Woolley. People vote with their feet or with their pocketbooks. And I think it is accurate to say that people are concerned about privacy, because they are. And I think it is also accurate to say that people are not afraid to use technology, and they are not afraid to use the Internet. Sales on the Internet have gone up exponentially in the last 3 years, and new devices come out. People love them. They buy them. They down load apps. They are very willing to adopt all of these new things as they come out. They love them. And we are very mindful of the fact that as an industry, we are the ones providing all of these great and wonderful and engaging things to people, but we have to take into consideration their desire for privacy. And that is the main reason that we have created this entire program. Mr. Olson. You have met my 14-year-old daughter. Mrs. Bono Mack. The gentleman's time has expired. And there will be a an opportunity for a second round, but there are still some other members needing to ask questions. The chair recognizes Mr. Stearns for his 5 minutes. Mr. Stearns. Thank you, Madam Chair, and let me compliment you. This is a great hearing, and I am glad to have all of these witnesses here. Ms. Woolley, let me say that I think that your logo and what you are doing is terrific, and I think it goes a long way toward this self-regulatory behavior and program. And we have just got to educate the consumers what it means when they see your logo. And hitting that logo, when I look at your slides, it starts to move into a little complication. And had you thought about perhaps even simplifying it even further, or do you think you are at the point where it is pretty well understood by consumers? Ms. Woolley. I don't think it is at the point where it is understood by consumers. We are actually later in the fall going to be launching an education campaign just to get at that point. We really hope that over time consumers will look at this symbol and know exactly what it means, kind of the way consumers look at the recycling symbol. Fifteen years ago, nobody really knew what the recycling symbol was and how they do it. Mr. Stearns. This Good Housekeeping Seal, which everybody recognizes, is universally accepted. Ms. Woolley. Exactly. To answer your question about whether the program is where it needs to be, we launched this program a year ago, and we are constantly looking for suggestions about evolving the program, making it more consumer-friendly and making it do really what all of you want it to do. So I welcome that input. Mr. Stearns. When I look through your slides, it is almost as a consumer, I just want one big button, can I opt out, and that is it, and it is done. Ms. Woolley. There are two ways that you can get to our opt-out. You can get to it from the icon that is on ads. The other way that you can get to it directly is if you go to www.aboutads.info, and if you go to that site, in the middle of that site is a huge check mark, and it says, for consumers, if you check on it, you can opt-out right there. Mr. Stearns. That opt-out, when you do that, does that apply to all of your companies, or does i apply to---- Ms. Woolley. The first thing that happens is you will see your computer churning away, and it will tell you the ad networks that are operating on your browser on that computer. And you can opt-out of all of them if you want to. Immediately behind it is a screen that tells you all of the ad networks that exist, and you can opt-out of all of those if you want. Mr. Stearns. I think it is a credit to what you are doing. When you see the European Union's privacy policy and then you see a lot of Latin America and a lot of Asian American countries have stopped--India is starting to include a privacy policy adopted after the European Union, we are almost going to be sitting here with a self-regulatory type of operation compared with everybody else. Do you feel there is any Federal baseline legislation that is needed at all for privacy? Ms. Woolley. Not at this time. We have got some great privacy laws in the area of HIPAA and Gramm-Leach-Bliley---- Mr. Stearns. Dealing with financial and health care---- Ms. Woolley. Exactly. Mr. Stearns. So you don't think there is any other area that is as sensitive? Ms. Woolley. I don't. Mr. Stearns. Do you think that there is any need for Federal baseline legislation for any aspect of personal privacy on the Internet? Just yes or no. Ms. Lawler. I need to say more than yes. Mr. Stearns. Just yes or no. If you have to check off whether we need Federal baseline legislation for any aspect of personal privacy on the Internet? Ms. Lawler. As a company that is already regulated by some of the laws just mentioned, if there were a Federal baseline approach, we would want to see something that is principle- based. So we think that there's a potential for an appropriate baseline in place---- Mr. Stearns. I have a bill H.R. 1528. It is a privacy bill that Mr. Matheson and I both dropped. Ms. Lawler. Yes. I have looked at that. Mr. Stearns. Do you think there is anything in there that you think should be needed? You won't offend me if you say no. Doesn't bother me at all. I have nothing tied to my legislation. Ms. Lawler. I think there are some things there that are workable. Mr. Stearns. Let me go down and ask you if you think there is any Federal baseline legislation, Yes or no? Mr. Hintze. Yes, we have been on record for a number of years. Mr. Stearns. I know. I thought you had. Mr. Meyer. We don't support any new baseline legislation, but having read your bill, the piece that we do like is the provision for safe harbor for self--existing self-regulatory. Mr. Stearns. Using the Federal Trade Commission. Ms. Woolley. Ditto with that. Mr. Acquisti. Yes, we do. Self-regulatory solutions tend to fail under pressure, and the recent studies have shown that there is a frequent non-compliance with NAA and the DAA initiatives among the top 100 Web sites---- Mr. Stearns. So your answer is yes, there needs to be some type? Mr. Acquisti. Yes. Mr. Stearns. Ms. Dixon, I assume you are a strong yes. Ms. Dixon. Yes, and we would still like to see reforms of existing self-regulatory programs to include consumers in other reforms. Mr. Stearns. Let me ask this last question and just ask one person, so it won't take too much time. What benchmarks are needed for self-regulation? Could you say from your experience what benchmarks are needed, since you represent the digital alliance? Ms. Woolley. Thank you. I think the right benchmark is not how many people opt-out. I think the right benchmark is how many people are seeing icons, and do they know what it means? So I think education is the right measure. Mrs. Bono Mack. Thank the gentleman. The chair recognizes Dr. Cassidy for 5 minutes. Mr. Cassidy. Thank you. I am never quite sure I understand this issue as much as I try and understand it. Ms. Lawler, did I hear you say that only 0.05 percent of people actually opt out? Ms. Lawler. Here is what I was saying is, we were talking about the opt-out rates for email marketing, which is different than the discussion that the majority has focused on today around online behavioral advertising. So what I was actually listing was kind of a range of industry standard, which is 0.1 to 0.05. That is a different kind of data than what we are talking about with opt-out for behavioral advertising. Mr. Cassidy. Ms. Woolley, Ms. Dixon raises some troubling things in their testimony. She speaks of how AOL once released some data sets; New York Times was able to track backward from these compressed data sets, supposedly disjointed, to find out where somebody lived. Now, do current self-regulating processes prevent that from happening again? Because that would certainly spook me if the New York Times was knocking on my door hey, Bill, what is happening? So you see my question? Ms. Woolley. I am not familiar with the point that was raised. Mr. Cassidy. Ms. Dixon, will you mention to her what your testimony said? Ms. Dixon. In the testimony, I was talking about that we needed a larger vocabulary when we are talking about online privacy. And I mentioned the AOL data breach in 2006. What happened is researchers at the company released data sets that were anonymized information about users, supposedly, and after it was released, a New York Times reporter went through and was easily able to look at little bits and pieces of scattered information that consumers had typed into search engines, and they identified people. Mr. Cassidy. So that said, that is troubling. Ms. Woolley. Yes, it is troubling. And the whole issue of data breach is very troubling. And I think that we need to be very careful about separating out privacy issues from data breaches. And the data breach issues I think require some significant action by Congress. Mr. Cassidy. Ms. Dixon, would that answer satisfy you? Ms. Dixon. I think that what happened at AOL was part of an environment where there is not a clear idea of what privacy benchmarks and standards there are. Mr. Cassidy. Yes, but that was a data breach? Ms. Dixon. I am not so sure that it was a data breach. I think that it can't easily be defined that way. Because when consumers type their search queriesinto that search engine, they relied on that AOL privacy policy that says, hey, we are going to do X, Y, and Z. Mr. Cassidy. Let me move on. Mr. Hintze, when I log on to MSN and I put in my user ID and then I hit in private browsing, does MSN or Bing still track me, even though Fox Sports may not or---- Mr. Hintze. The in private browsing feature in our Internet Explorer browser blocks third parties who are present on the Web site you have gone to. But when you have gone to a Web site--say you have gone to MSN. In that case, MSN would be the first party. That is the company, that is the Web site you chose to interact with. So it doesn't block the connection to that first party. Mr. Cassidy. So does MSN then track me across the Internet---- Mr. Hintze. No. The in private browsing, it prevents anybody who, other than the site you have chosen to go to--so when you go to MSN, MSN knows you are there. When you go to Amazon, Amazon knows you are there. But if there were a common third party, they would not be able to track you across those two sites because you blocked them. Mr. Cassidy. So for my home page for MSN, I have a Web site from Home Depot. Home Depot would not know, but MSN still knows. Is that correct? Mr. Hintze. Correct. If you type www.MSN.com into your Web site. Mr. Cassidy. Now I think I understand now how data is anonymized and theoretically, if you will, I am protected, but I gather that if you are MSN, Yahoo, or Google and I log in, that is not anonymous. That is actually me. Now, so, again, I am trying to understand this. I apologize if I sound stupid, but you can take, unlike everybody else who is anonymous, you actually know it is me. Now to what degree can you collate that with other information from other third parties? Mr. Hintze. You are correct that when you sign into a site you have self-identified yourself to them. You have said, hey, it is me; you have a billing relationship with them, for example. There are different methods used within the industry to anonymize data. Some are stronger than others. Mr. Cassidy. Does MSN anonymize my data once I have signed in, or do they keep it much as apparently AOL did, as a dataset which could be leaked and which could then be tracked back to my home address? Mr. Hintze. For search data, we store search queries, for our Bing search engine, we store search queries in association with a unique identifier which we put technical controls, including one-way cryptographic hashing, to prevent that data from being associated with identifiable data that you may have provided to another one of our sites. So, for example, if you had a Hotmail account and you had given us your name and your city, we would have that in one database, and we put in measures to make sure that when you put in your search query, that data is not associated, it is in different buckets. Mr. Cassidy. I am out of time, but I may hang for the second round. Thank you, I yield back. Mrs. Bono Mack. I thank the gentleman, and a few of us have stuck around for a second round. So I am going to begin with 5 minutes for myself, and the question--I don't know if it would be better for Mr. Hintze or Mr. Meyer or who. Anybody can take a crack at this. Something that just popped into my brain was deep packet inspection, and we haven't talked about that at all today. But my example is the other day I received an email from a friend of 40 years ago who I did gymnastics with. The message said ``gymnastics'' somewhere in there, and sure enough, for the first time ever, I received a bunch of ads about buying tumbling mats. I never, ever have gone online to look for tumbling mats. Deep packet inspection, is it a part of your thinking here, or is it as troubling to you as that glaring example was to me? Mr. Hintze. I will just briefly respond and then let others. We don't engage in it. It is not how we run our ad network. Even within our own email online service Hotmail, we do not base advertising based on the content of your email. Other companies do that; we do not. Mrs. Bono Mack. Have you supported in the baseline legislation, you have said you supported in the past, something that---- Mr. Hintze. We have supported Federal baseline privacy legislation. Like others on the panel, we think it should work in conjunction with self-regulatory initiatives with safe- harbor provisions, but it is something we have supported. Mrs. Bono Mack. And DPI, would you support throwing that in there, then? Deep packet inspection, would you support putting that in there? Mr. Hintze. You know, I think that one of the challenges with legislation is that when you get into particular technologies and try to ban technologies or methods, that can have unintended consequences. Mrs. Bono Mack. Thank you. Mr. Hintze. You talk about deep packet inspection, you talk about supercookies, there are certainly uses where we think those methodologies are inappropriate and invasive and not consistent with consumer expectations or choices they have made. But one can imagine that those kinds of technologies would be put to very beneficial uses, and so I think we have to be very careful about trying to regulate specific technologies. Mrs. Bono Mack. Thank you. Mr. Meyer? Mr. Meyer. I agree with Mr. Hintze. I think that Evidon's purview doesn't expand out into deep packet inspection, but our opinion is similar to the opinion on supercookies, that right now we don't see it as a good use in online marketing, but legislation carries with it a lot of risks around legislating a technology when things are evolving this quickly. Mrs. Bono Mack. Thank you. I really enjoyed Mr. Guthrie's questioning earlier. He really got to the crux of the whole matter, what does this mean. Miss Dixon, you took a crack at the answer, but it is the reputational harm that we are all concerned about, and then I am also concerned about a bridge too far. When does reputational harm then translate into physical harm? And those are the questions that I think we need to grapple with as policymakers. But I have also--and I keep going back to how the content, we had, you know, P2P, we had Kazaa, and Napster, and some things come up, and then i-Tunes came on the scene to deal with peer-to-peer, and now we are back to like a Spotify method where content is all free again. You can download 3,000 songs for free. So it is still evolving, and the business models are evolving. But really, me perhaps jumping ahead here to Intuit. Reputational harm for consumers is one thing, but I know that Intuit, the reputational harm that could happen to a company should they breach consumers' confidence is also something worth considering. And I think, Ms. Woolley and Ms. Lawler, if you would like to take the next minute and 45 to talk about your version of what would happen to your company if you lost consumer confidence by breaching what consumers believe you do to protect them. Ms. Lawler. When we conducted our customer research to understand their attitudes about privacy and how data was used, our customers were very clear that as long as we were open and honest and clear with them about what we were doing and giving them choices, that they would trust us, continue to trust us. So they said things like, ``I will continue to use your products because of the data stewardship principles that you are showing us; I feel safer in an unsafe world.'' Conversely, what we saw, because we did quantitative research where we got a lot of verbatims that I have just mentioned, but we also did qualitative studies where we talked one on one and in small groups, and in those sessions, I think our customers--and I think it is a proxy just for consumers at large--when you are dealing with unique data about me that is sensitive to my life or my business, I want control, I want to know what is going on, and if you screw that up, I am certainly going to consider going somewhere else. And to the point someone made earlier, consumers make choices with their feet and with their wallets. They also make choices in the online world essentially with their fingers and eyeballs. So that is why being as open and clear and transparent, starting with this idea that it is the customers' data, not ours, and putting them as much in control as possible, is just critical to our success. It enables us to actually innovate and use their data to benefit them in ways that improve their lives. Mrs. Bono Mack. Thank you. Ms. Woolley, if you would like to. Ms. Woolley. Thank you. One of the things that is great about the DAA program is that in order to get the principles in the first place, thousands of companies participated in that process, and the six trade associations that developed it also represent thousands of companies, so it really is a consensus- based program. And the reason that so many companies came to the program and came to the table was because they are all intent on doing the right thing. Obviously there are outliers out there who may or may not be as interested in doing the right thing, but the goal of the program is to get as many companies into the program as possible, and so the issue of reputational harm is clearly front and center for all of them. Mrs. Bono Mack. Thank you, and my time has expired. And I recognize Mr. Butterfield for 5 minutes. Mr. Butterfield. Thank you. Social networking sites like Facebook have made it possible for Internet users to share the details of their lives. The things users share can include seemingly mundane and harmless things like where they were born, or head shots and picture profiles. It can also include more intimate and personal details, like how they are feeling physically or mentally, their relationships, their political leanings, or even their work history or other affiliations. Some choose to put all of this out there for the whole wide world to see--I am not one of those, but some do--while some choose to make only the barest of details available to the world and selectively share based on their preferences. Professor, in your testimony you discuss briefly a couple of studies you have contributed that support the view that consumers' ability to make rational and fully informed decisions about their privacy preferences are constrained, constrained both by our limited ability to process information available to us, and advances in technology whose implications can't be understood or predicted by consumers. Specifically, you mentioned a study in which you were able to identify individuals and infer personal information about them using facial recognition technology in photos they had posted online on sites like Facebook. That is absolutely incredible. Can you please discuss this study a bit more, briefly describe what you did, what bits of information you used, how easily available it was to you, and what further information you were able to infer? Mr. Acquisti. Certainly. Indeed, our study was about finding out what happens when you combine publicly available information with off-the-shelf technology such as face recognition and cloud computing, and you put them together and you try to identify individuals online and offline and then infer more sensitive information. What we did, we started from images of faces of people that I could call them anonymous in the sense that we didn't have a name when we started the experiment. These images either came from online environments such as dating sites or from the State, students on the CMU campus. We used face recognition and cloud computing to compare these images to images we had downloaded from publicly available data, profiles on popular social networking sites, and when we found matches between a face in the first group and a face in the second group, we could then infer probabilistically the name of the person, up until then anonymous. With the name, we could then search for personal demographic information. For instance, from Facebook profiles we can find often the hometown where the person was born and the date of birth, and then with the hometown and the date of birth, using an algorithm we developed 2 years ago, we ended up predicting the Social Security number. So the sequence is start from a face, find a name online associated with the face, find publicly available information, not sensitive, but demographics for instance for the person, and with that information infer something more sensitive. It is a process of data accretion which shows the challenges we face in protecting privacy. Mr. Butterfield. You mentioned Social Security numbers, and that is somewhat intriguing. Are you saying that you are able to possibly predict Social Security numbers based on simple demographic data put up by individuals on Facebook? Mr. Acquisti. Yes. When I say ``predict,'' I stress that I am talking about a probabilistic prediction, not deterministic. What I mean is that a Social Security number has nine digits, and we would not be able to predict with a single attempt all nine digits at the same time, so our degree of accuracy changed, depending on whether we consider only the first five digits or all nine. But the stories that--and we showed this 2 years ago, because data about Social Security numbers is already publicly available--it is called the so-called death master file. It is a public database of all Social Security numbers of people who are dead, and because we have so much demographic data for people who are alive, we can interpolate, combine the two datasets and end up predictions as a sense for alive individuals. Mr. Butterfield. Let me yield to the chairman. Mrs. Bono Mack. I appreciate that very much. I think this is an important point that needs serious clarification. You can find all of that data on any public figure right now by going to a bio. You can open a book, somebody has written their life story. You don't need to create an algorithm, you can just do that. Why aren't people just creating, I mean other than creating the Social Security number, but you are trying to protect people from--for example, any Member of Congress, all that data is out there. So how is it different? Mr. Acquisti. So, indeed, there are two points to make here, one specific to as a sense. In recent years the regulatory approach has been towards making Social Security numbers less available, because we know they are so sensitive. And in a way that is well intended, a good meaning; but the challenge we show with our results is that even if you make Social Security numbers less available in public documents, they can still be predicted from otherwise publicly available data. Mr. Butterfield. Thank you. Mrs. Bono Mack. Thank you so much, Mr. Butterfield. Mr. Butterfield. Uh-huh. Mrs. Bono Mack. But your point that you began with, I think facial recognition technology is troubling for everybody, but your point was you are not critical of Social Security numbers. You are talking about how easy it is to search because, you know, we could be taking a picture of any of you and suddenly by tomorrow have your Social Security number. Mr. Acquisti. This is absolutely correct. Mrs. Bono Mack. This is a privacy debate. On the online world we are asking for more than perhaps has been out there for years, and these things aren't happening. So I just want to point that out, and I have overexhausted his time, so I need to--oK, yes, if you can respond briefly. Mr. Acquisti. The Social Security number prediction is just an example what can be done. The story we were telling with this recent study is that we are now close to a point where you can start from an anonymous face in the street and predict sensitive, not publicly available, but sensitive information about the person. Mrs. Bono Mack. I thank the panel and the gentleman for yielding to me, and I am happy to now recognize Mr. Stearns for 5 minutes. Mr. Stearns. Thank you, Madam Chair. We hear from consumers and from researchers like the professor today, and even from Intuit's own research, that privacy policies are too complicated and consumers don't bother to read them. And myself, if it is one or two pages I don't go further. And so I think most consumers just don't take the time. And then, of course, if the privacy is on the thin side and they are just-- such that they don't advocate enough, enough protection. So I guess, how do we bridge the gap and provide full disclosure without alienating the average consumer who is not a privacy professional? It seems to me that is about where we are. If we are talking about self-regulatory incentives, then you have got to have some kind of policy which bridges this gap and provides the information without confusing the consumer. So I thought I would just go from my left to my right, and maybe some ideas of how we could do this so that consumers are educated, for one; and two, that the privacies are not complicated and maybe design work or something like that, some ideas. Ms. Lawler. We are experimenting with different types of what I would call explanations to customers, and that is really out of our research--and some of our early findings suggest similar to what we have heard a little bit about today, a simple, plain English explanation in context. So you can't offer big blanket opt-in or opt-out or whatever kind of choice at the beginning of something where it is not relevant to me. I don't understand it. Customers have been very clear about that. And I think there are probably other studies that validate that, but in context. So we are actually running tests right now. We don't have the data yet. We would be happy to come back and share that at a future time. Mr. Stearns. OK. Ms. Lawler. One of the other things that we did that I think--just a couple of other quick thoughts, sir--is if we stopped thinking about privacy policies and privacy statements and put it in this framework and this idea that is plain, simple, short explanations, you have to have a policy somewhere, but really what consumers want is something that is simple, easy to understand, real-time. And if companies haven't done it, what I would suggest they do, which we did recently and have made improvements significantly, is run your policy statements, your explanations, through a grade-level analyzer. So we did that, and we have simplified our language so that it was closer to a 9th grade level rather than where we started a couple years ago at a 13th grade level. Mr. Stearns. OK. Let me go through the panel here. I have only got about 2-\1/2\ minutes left. Mr. Hintze. Yes. To cut this short, I agree with everything Ms. Lawler said. I think that in our experience the challenge is to get information in front of people when you are most likely to capture their eyeballs and their attention, and sometimes that means at the point of a decision making, when they are making a particular decision. Sometimes that can be too disruptive because they are so anxious to get the thing done that they are trying to get done, that if you put something in front of them, they are just going to hit ``cancel'' or ``yes'' or whatever the default is. So sometimes it is at the time you are installing a product. Sometimes it really sort of varies and you get there with a little bit of trial and error. Mr. Stearns. But the point at which you get their attention is what you are saying. Mr. Hintze. Yes, yes. Mr. Stearns. Mr. Meyer. Mr. Meyer. That is our business to figure this out, and the key thing I would add to the discussion is---- Mr. Stearns. Why, Mr. Meyer, don't you have privacy with a video, just a quick--I never see anybody have a video for privacy. Mr. Meyer. Some companies, some of our clients, do have videos in their privacy policy. Mr. Stearns. Somebody would say do this, do that. Mr. Meyer. Yes, it all depends on the segment. It is very hard to know which type of user is showing up in which particular experience, and the key is to create a layered experience so that it can stand up to the scrutiny of, you know, privacy advocates and academics, and as well as be simple enough for someone to get through it in a few clicks. And that is part of the reason we did this partnership with Akamai, to get the first layer as close to the point of engagement as possible, and then allow consumers who want more detailed information to dig through it, but not force them to read through a whole complex policy. Mr. Stearns. Gotcha. Ms. Woolley. Ms. Woolley. The goal that you mentioned is exactly the goal of the program, the advertising option icon program. It is in one or two clicks a simple explanation about what is going on, not---- Mr. Stearns. Have you thought about using video on it? Ms. Woolley [continuing]. A deep privacy policy, and also you can opt out. Mr. Stearns. Instead of a narrative, do you think a video would be better? Ms. Woolley. There is not a video, but good idea. I mean, it is something we may try and do. Mr. Stearns. Because you see, across these Web sites, the ones who are most successful have the videos instead of the narrative. Anyway, Professor? Mr. Acquisti. Two solutions which need to complement each other; one is standardize the starting line of privacy policies, which are common in form across Web sites. This decreases the cognitive costs for the consumer. And the second, a baseline level of protection further through regulation. Mr. Stearns. Would that come from that baseline from the Federal Trade Commission? Where would that baseline come from? Mr. Acquisti. For instance, from the Federal Trade Commission. Mr. Stearns. Oh, OK. Ms. Dixon? Ms. Dixon. I agree with Professor Acquisti's remarks. I would just add one thing. We are talking about improving self- regulation of consumers. I think we ought to hear from the consumers, and the consumers ought to be part of that self- regulatory process and have a permanent and defined role in that process so they can give us direct feedback. Mr. Stearns. Good. All right. Thank you, Madam Chair. Mrs. Bono Mack. Thank you, Mr. Stearns. The chair is happy to recognize Dr. Cassidy for 5 minutes. Mr. Cassidy. Mr. Hintze, OK, somebody--you have a phone, right? You have a phone system? So Microsoft does. If I log on my phone, I register my phone, I pull it out of the box and I register it, it says hey, I am Bill Cassidy, I am da-da-da, and I also again have MSN. You spoke about this kind of firewall, if you will, between my Hotmail account and my MSN activities. But what if Apple or Google or Yahoo! or you--I have a phone and either I have the phone which your company provides, or I am using the operating system that your company provides, or I am plugged into my browser on the phone; is that data correlated with my desktop browsing? Mr. Hintze. No, and---- Mr. Cassidy. And do you speak just for Microsoft or do you speak for an industry standard? Mr. Hintze. I am speaking for Microsoft. I am speaking for Microsoft. Well, it depends. It depends on the scenario you are talking about. If you log in to your Hotmail account on a PC and then you log into your Hotmail account on your phone, it is the same account; that data is connected on the back end. The problem is there are many different scenarios we can go through. If you are using a location-based service, where we as the operating service on the phone is providing this location service, that location data comes up without any identifying information. It comes up only so that it can send back location information so that an application can take advantage of that. And then on our back end, we don't store any unique IDs at all associated with the hardware or a user, and so, you know, it really depends on the scenario. In a logged-in scenario is the one scenario where, yes, there would be a linkage across the PC and---- Mr. Cassidy. Now, would this data be, could this data be or is this data, when it is connected, is it collated, correlated, da-da-da dated, in order to further target me in a more sophisticated fashion? Mr. Hintze. We are just moving into mobile ads, and so in the future I think the answer will be yes. But, again, we would do that in a way that takes into account our own privacy standards, the standards that are being developed by the self- regulatory initiatives, et cetera. So yes, but people will have choices about that. Mr. Cassidy. OK. Ms. Dixon, what are your thoughts about that, because you seem to kind of come from the most sort of we-have-to-be-concerned perspective? Ms. Dixon. Yes, the tethered applications, mobile phones that are--there is certain hard encoding that Mike could tell you more about, that links that phone directly to a person's identity in different ways than Web browsing does. So when we are talking about linking ads to phone technologies, I think that we are entering a new arena. The self-regulatory regime in place for that is a code of conduct by the Mobile Marketing Association, and the codes are profoundly general. They are so general it is unbelievable, and they are not protective at all. So a great deal of work would have to be done to reform this space or to regulate the space in order to provide baseline consumer protection. Mr. Cassidy. Ms. Woolley, what are your thoughts about that? And, again, I am going to cut you off in a second because I have one more question for Mr. Hintze. Ms. Woolley. Thanks. We are in the process of developing a program, building up a program where this icon will migrate to ads that are served on mobile devices. So a consumer will be able to not only see an ad on a mobile device, but he or she will be able to see the icon and opt out on that mobile device. And those choices, as we develop that program, expand that program to a mobile device, those choices must be honored by everybody in the chain of delivering that ad on a mobile device, the same way that the choices have to be honored. Mr. Cassidy. So you agree with Ms. Dixon, but you feel as if that work, that hard work is being done, if you will? Ms. Woolley. Absolutely. Mr. Cassidy. OK. Now, Mr. Hintze, in your testimony, reference 19--reference, I should say comments--you say that even if responsible companies adopt strong practices and participate in self-regulatory initiatives, bad apples can spoil the whole bunch. Michael Jackson's redux. And government can play a role by setting baseline standards. Now, that is a little bit less libertarian than I think some of the others on the panel. So you do see a role for government setting baseline standards. Mr. Stearns has legislation which, frankly, I haven't read, but he referenced it earlier. Have you read it, and if so--if not, confess; but if so, what are your thoughts on it? Mr. Hintze. We have read it and we have been on record for I think about 6 years now of supporting baseline Federal privacy legislation, that again it would be principles-based, not technologies-based. It would have to be flexible and incorporate safe harbors for effective self-regulatory initiatives. But there are a lot of things in Mr. Stearns' bill that we are supportive of, and we are, you know, happy to work with this committee and your office, Mr. Stearns, on that as well, going forward. Mr. Cassidy. OK. I am out of time. I yield back, and I thank you. Mrs. Bono Mack. Thank the gentleman, and we would like to thank our panel very much for being with us today. You have been quite gracious with your time, and I look forward to working with all of you again as we get closer to making some important decisions about the best ways to protect the online privacy of American consumers. I thank Mr. Butterfield and all of the members and staff of this terrific subcommittee for their participation. This was the fourth in our series of online privacy hearings so far this year. As the bits and bytes begin to add up, I think that we are getting closer and closer to understanding what the American consumers really want with respect to online privacy. I remind members that they have 10 business days to submit statements and questions for the record and ask the witnesses to please respond promptly to any questions they receive. The hearing is now adjourned. [Whereupon, at 11:29 a.m., the subcommittee was adjourned.] [Material submitted for inclusion in the record follows:] [GRAPHIC] [TIFF OMITTED] T4605.139 [GRAPHIC] [TIFF OMITTED] T4605.140 [GRAPHIC] [TIFF OMITTED] T4605.141 [GRAPHIC] [TIFF OMITTED] T4605.142 [GRAPHIC] [TIFF OMITTED] T4605.143 [GRAPHIC] [TIFF OMITTED] T4605.144 [GRAPHIC] [TIFF OMITTED] T4605.145 [GRAPHIC] [TIFF OMITTED] T4605.146 [GRAPHIC] [TIFF OMITTED] T4605.147 [GRAPHIC] [TIFF OMITTED] T4605.148 [GRAPHIC] [TIFF OMITTED] T4605.149 [GRAPHIC] [TIFF OMITTED] T4605.150 [GRAPHIC] [TIFF OMITTED] T4605.151 [GRAPHIC] [TIFF OMITTED] T4605.152 [GRAPHIC] [TIFF OMITTED] T4605.153 [GRAPHIC] [TIFF OMITTED] T4605.154 [GRAPHIC] [TIFF OMITTED] T4605.155 [GRAPHIC] [TIFF OMITTED] T4605.156 [GRAPHIC] [TIFF OMITTED] T4605.157 [GRAPHIC] [TIFF OMITTED] T4605.158 [GRAPHIC] [TIFF OMITTED] T4605.159 [GRAPHIC] [TIFF OMITTED] T4605.160 [GRAPHIC] [TIFF OMITTED] T4605.161 [GRAPHIC] [TIFF OMITTED] T4605.162 [GRAPHIC] [TIFF OMITTED] T4605.163 [GRAPHIC] [TIFF OMITTED] T4605.164 [GRAPHIC] [TIFF OMITTED] T4605.165 [GRAPHIC] [TIFF OMITTED] T4605.166 [GRAPHIC] [TIFF OMITTED] T4605.167 [GRAPHIC] [TIFF OMITTED] T4605.168 [GRAPHIC] [TIFF OMITTED] T4605.169 [GRAPHIC] [TIFF OMITTED] T4605.170 [GRAPHIC] [TIFF OMITTED] T4605.171 [GRAPHIC] [TIFF OMITTED] T4605.172 [GRAPHIC] [TIFF OMITTED] T4605.173